Forensically-Sound Analysis of Security Risks of Using Local Password Managers

Joshua, Gray; Franqueira, Virginia N. L.; Yu, Yijun

doi:10.1109/rew.2016.034

Cited by 9 publications

(3 citation statements)

References 11 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Password managers re-establish a reasonable balance between the security and usability of passwords, enjoying research attention [16,17,18,19]. Most of the existing research on password managers has focused on (1) technical aspects of these tools and mechanisms to improve their security and usability [16,17], (2) evaluating their security [18,19], or (3) designing for usability [20]. Less work has been carried out on password manager adoption.…”

Section: Related and Background Researchmentioning

confidence: 99%

Encouraging Password Manager Adoption by Meeting Adopter Self-Determination Needs

Alkaldi¹,

Renaud²

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Password managers are a potential solution to the password conundrum, but adoption is paltry. We investigated the impact of a recommender application that harnessed the tenets of self-determination theory to encourage adoption of password managers. This theory argues that meeting a person's autonomy, relatedness and competence needs will make them more likely to act. To test the power of meeting these needs, we conducted a factorial experiment, in the wild. We satisfied each of the three self-determination factors, and all individual combinations thereof, and observed short-term adoption of password managers. When all self-determination factors were satisfied, adoption was highest, while meeting only the autonomy or relatedness needs individually significantly improved the likelihood of adoption.

show abstract

Section: Related and Background Researchmentioning

confidence: 99%

Encouraging Password Manager Adoption by Meeting Adopter Self-Determination Needs

Alkaldi¹,

Renaud²

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…For example, in the context of social media incident investigations, Tun et al [22] identify three main requirements related to evidence collection: maintaining privacy, continuity, and integrity of digital evidence. Similarly, Gray et al [23] have proposed a technique to assess risks that local password managers can bring when maintaining integrity and authenticity of passwords. This technique could be applied to other sources of evidence to ensure integrity and authenticity of the data preserved proactively.…”

Section: Forensic Readiness Requirementsmentioning

confidence: 99%

Software Engineering Challenges for Investigating Cyber-Physical Incidents

Alrimawi¹,

Pasquale²,

Nuseibeh³

2017

2017 IEEE/ACM 3rd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS)

View full text Add to dashboard Cite

Cyber-Physical Systems (CPS) are characterized by the interplay between digital and physical spaces. This characteristic has extended the attack surface that could be exploited by an offender to cause harm. An increasing number of cyber-physical incidents may occur depending on the configuration of the physical and digital spaces and their interplay. Traditional investigation processes are not adequate to investigate these incidents, as they may overlook the extended attack surface resulting from such interplay, leading to relevant evidence being missed and testing flawed hypotheses explaining the incidents. The software engineering research community can contribute to addressing this problem, by deploying existing formalisms to model digital and physical spaces, and using analysis techniques to reason about their interplay and evolution. In this paper, we use a motivating example to describe some emerging software engineering challenges to support investigations of cyberphysical incidents. We review and critique existing research proposed to address these challenges, and sketch an initial solution based on a meta-model to represent cyber-physical incidents and a representation of the topology of digital and physical spaces that supports reasoning about their interplay.

show abstract

“…The passwords stored by software managers are another form of ephemeral intelligence, where the master password in transient memory may be revealed by unexpected failure of the software system. To reduce the risk of exposing the master passwords, the in-memory plain text passwords should never last long [1]. Live forensic evidence could be combined with persistence storage in order to preserve them in the long run, while typically the storages are remote from the data generators.…”

Section: Live Forensics Versus Snap Forensicsmentioning

confidence: 99%

Snap forensics: a tradeoff between ephemeral intelligence and persistent evidence collection

Tun

2017

Proceedings of the 1st ACM SIGSOFT International Workshop on Software Engineering and Digital Forensics

Self Cite

View full text Add to dashboard Cite

Digital evidence needs to be made persistent so that it can be used later. For citizen forensics, sometimes intelligence cannot or should not be made persistent forever. In this position paper, we propose a form of snap forensics by defining an elastic duration of evidence/intelligence validity. Explicitly declaring such a duration could unify the treatment of both ephemeral intelligence and persistent evidence towards more flexible storage to satisfy privacy requirements. CCS CONCEPTS• Security and privacy → Privacy protections; KEYWORDS digital forensics, privacy requirements ACM Reference format:

show abstract

Forensically-Sound Analysis of Security Risks of Using Local Password Managers

Cited by 9 publications

References 11 publications

Encouraging Password Manager Adoption by Meeting Adopter Self-Determination Needs

Encouraging Password Manager Adoption by Meeting Adopter Self-Determination Needs

Software Engineering Challenges for Investigating Cyber-Physical Incidents

Snap forensics: a tradeoff between ephemeral intelligence and persistent evidence collection

Contact Info

Product

Resources

About