Password Management
Strategies for Online
Accounts
Gaw & Felten Optional Reading
Background
Users often are the enemy
Non-compliance with password practices
occurs and undermines the system
Paper studies broad password practices
Proliferation of website logins
Quantifies and surveys the factors relating
to password reuse
Related Work
Some papers have tried to address the
problem of poor password practices
Some have suggested graphical
passwords, i.e. pictures or points in an
image
Others have looked at password hashing
schemes with a ‘master’ password
Study Details, 1
Users were asked to evaluate their
likeliehood of attack from different groups
How did users justify subverting password
policy?
This study collected information based on
login attempts to websites and then were
asked how many passwords they used
Study Details, 2
First pass – Participants were prompted with a
list of sites by category
Record if they have an account
If yes, then 90 seconds to login to the website
Success= Write down the password, Failure=
User explain why
Recorded: # of passwords collected, # of unique
passwords, the size of classes of similar
passwords, # of password repetitions, and # of
passwords with related meanings.
Study Details, 3
The second pass was open, no list
Record all other sites that you use a
password for
Aggregate these statistics from the first
pass
Results and Discussion
Participants forgot the password or
username but not usually both
Even though they had a relatively small
number of accounts (7-14), reuse still
occurred
As the number of accounts grows, reuse
frequency increases
User Priority and Password
Justification, 1
Sites use login information for different
things
E-commerce vs. New York Times.com
Varying level of usage confuses users;
they perceive little benefit.
Number One reason for password reuse:
“It will be easier for me to remember”.
User Priority and Password
Justification, 2
Sites were also user categorized, i.e.
message boards vs. banking, for strength
and reuse
Students were motivated to uniqueness
when concerned with financial information
and personal correspondence
Password Storage
Memory was the number one storage tool
Some users used cookies, i.e. “remember
me”
Others used the embedded features of
their browser to remember their
passwords
Still, these methods were far down the list
in favor of memory
Who will attack?
Participants were asked to rank in terms of
ability, then in terms of motivation, then in
terms of both
One group felt that non-affiliated person
would have the most to gain, hence being
likely attacker
Others felt that those close to them had
the interest and the access and hence
would be more likely an attacker
Strength of Passwords
If those closest are most able to crack us,
then this should influence what users
perceive as a strong password
By asking users to rank the security of 3
different passwords, they attempted to
understand the user perception of security
This led to the realization that most
participants envisioned a human attacker,
using a guess-and-check methodology
Conclusions
Many password management tools do not
facilitate the users main tool – memory
Instead of just filling in the user password,
management tools could display it in a low
contrast background until they learn it,
then they can turn it off.
Also, websites can use challengeresponse for password recovery instead of
email
Conclusions, 2
Users misunderstand the nature of attacks
and attackers
Explaining dictionary attacks in password
strengthening tips helps.
Existing tools are not equipped to deal
with the problem of password reuse
Users most likely be able to adopt tools to
aid them in password management