Design and Evaluation of a Data-Driven Password Meter

Ur, Blase; Alfieri, Felicia; Aung, Maung; Bauer, Lujo; Christin, Nicolas; Colnago, Jessica; Cranor, Lorrie Faith; Dixon, Henry; Naeini, Pardis Emami; Habib, Hana; Johnson, Nicholas R.; Melicher, William

doi:10.1145/3025453.3026050

Cited by 102 publications

(105 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The findings align with other recent work in the domain, most notably a study from Segreti et al (2017) that present adaptive password creation policies that can dynamically change the requirements over time and a study from Ur et al (2017), with a password meter offering real-time feedback and advice to help users refine their password choices. As with Experiment 2, the principle here is not to just indicate that a password is weak, but to explain why and (importantly) what to do in order to improve it.…”

Section: Findings and Implicationssupporting

confidence: 88%

Enhancing security behaviour by supporting the user

Furnell

Khern-am-nuai

Esmael

et al. 2018

Computers & Security

View full text Add to dashboard Cite

Although the role of users in maintaining security is regularly emphasized, this is often not matched by an accompanying level of support. Indeed, users are frequently given insufficient guidance to enable effective security choices and decisions, which can lead to perceived bad behaviour as a consequence. This paper discusses the forms of support that are possible, and seeks to investigate the effect of doing so in practice. Specifically, it presents findings from two experimental studies that investigate how variations in password meter usage and feedback can positively affect the resulting password choices. The first experiment examines the difference between passwords selected by unguided users versus those receiving guidance and alternative forms of feedback (ranging from a traditional password meter through to an emoji-based approach). The findings reveal a 30% drop in weak password choices between unguided and guided usage, with the varying meters then delivering up to 10% further improvement. The second experiment then considers variations in the form of feedback message that users may receive in addition to a meter-based rating. It is shown that by providing richer information (e.g. based upon the time required to crack a password, its relative ranking against other choices, or the probability of it being cracked), users are more motivated towards making strong choices and changing initially weak ones. While the specifics of the experimental findings were focused upon passwords, the discussion also considers the benefits that may be gained by applying the same principles of nudging and guidance to other areas of security in which users are often found to have weak behaviours.

show abstract

Section: Findings and Implicationssupporting

confidence: 88%

Enhancing security behaviour by supporting the user

Furnell

Khern-am-nuai

Esmael

et al. 2018

Computers & Security

View full text Add to dashboard Cite

show abstract

“…This paucity of knowledge contrasts with the large and rich literature investigating the design of warnings and notifications about other security-critical tasks, including detecting phishing [11,53], TLS-protected browsing [2,15], malware [6,7], and two-factor authentication (2FA) [48]. Many studies have aimed to help users make better passwords [12,40,59] or measured the prevalence of password reuse [10,32,46,57]. This paper is the first to explore how to inform users about situations caused by password reuse and help them recover from the resultant consequences.…”

Section: Introductionmentioning

confidence: 99%

"What was that site doing with my Facebook password?"

Golla

Wei

Hainline

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Password reuse is widespread, so a breach of one provider's password database threatens accounts on other providers. When companies find stolen credentials on the black market and notice potential password reuse, they may require a password reset and send affected users a notification. Through two user studies, we provide insight into such notifications. In Study 1, 180 respondents saw one of six representative notifications used by companies in situations potentially involving password reuse. Respondents answered questions about their reactions and understanding of the situation. Notifications differed in the concern they elicited and intended actions they inspired. Concerningly, less than a third of respondents reported intentions to change any passwords. In Study 2, 588 respondents saw one of 15 variations on a model notification synthesizing results from Study 1. While the variations' impact differed in small ways, respondents' intended actions across all notifications would leave them vulnerable to future password-reuse attacks. We discuss best practices for password-reuse notifications and how notifications alone appear insufficient in solving password reuse.

show abstract

“…Password meters are helpful in this area but are not sufficient. Researchers have found that a data-driven meter with detailed feedback leads users to create more secure and, just as importantly, passwords that are equally memorable [23]. Furthermore, NIST's current publication requires that users who select a blacklisted password should be advised to select another one: 'If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret' [39].…”

Section: F E E D B a C Kmentioning

confidence: 99%

Using Gamification and Fear Appeal Instead of Password Strength Meters to Increase Password Entropy

Rodwald

2019

Scientific Journal of Polish Naval Academy

View full text Add to dashboard Cite

It is very common for users to create weak passwords. Currently, the majority of websites deploy password strength meters to provide timely feedback. These meters are in wide use and their effects on the security of passwords have been relatively well studied. In this paper another type of feedback is studied: a gamified approach supported by fear appeal. In this approach, users are encouraged to make passwords stronger through the use of visual and textual stories. This approach is supported by data-driven suggestions about how to improve password security as well as by fear appeal. To prove the effectiveness of this gamified password creation process, an experiment was performed in which users changed their passwords in two ways: without any feed-back, and with gamified feedback with fear appeal. To support the initial findings a questionnaire was completed by participants at the end of research.

show abstract

Design and Evaluation of a Data-Driven Password Meter

Cited by 102 publications

References 28 publications

Enhancing security behaviour by supporting the user

Enhancing security behaviour by supporting the user

"What was that site doing with my Facebook password?"

Using Gamification and Fear Appeal Instead of Password Strength Meters to Increase Password Entropy

Contact Info

Product

Resources

About