ABSTRACT
One of the most popular aids adopted by users to reduce the pain suffered from the use of passwords is browsers' autocomplete feature. This feature, caching username and password after getting the user consent and using them later for automatic completion, is available in all modern browsers but communication with the user asking consent is implemented in different ways. In this paper, we report on user studies comparing active communication with a blocking dialog box and passive communication with a non-intrusive toolbar. We found that a dialog box misled users to save passwords in public computers. Conversely, no security problem was observed with passive communication. Our exploration provides empirical evidence for the risks of preferring active communication for password autocomplete and other similar interactions and sheds light on many other aspects of password autocomplete.
- Browser Market Share, http://marketshare.hitslink.com/report.aspx?qprid=0, last accessed on 02/July/2011.Google Scholar
- L.F.Cranor: A framework for reasoning about the human in the loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security, pages 1--15, Berkeley, CA, USA, 2008. Google ScholarDigital Library
- R. Dhamija, J.D. Tygar, and M. Hearst. Why phishing works. In Proc. of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581--590, New York, NY, USA, 2006, ACM. Google ScholarDigital Library
- D. Florencio and C. Herley. A large-scale study of web password habits. In Proc. of WWW (2007). Google ScholarDigital Library
- S. Gaw, E.W. Felten, Password management strategies for online accounts, in: SOUPS '06, ACM Press, 2006, pp. 44--55. Google ScholarDigital Library
- Peter Gutmann: Security usability, http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf, February 2008. Draft. Last accessed on 02/July/2011.Google Scholar
- E. Hayashi and J.I. Hong. A diary study of password usage in daily life, In Proc. of CHI 2011. Google ScholarDigital Library
- C. Heilman. Web Security: Are you part of the problem. White paper, http://coding.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/, last accessed on 02/July/2011.Google Scholar
- C. Herley, P.C. van Oorschot and A.S. Patrick. Passwords: If We're So Smart Why Are We Still Using Them? Proc. Financial Crypto 2009. Google ScholarDigital Library
- R. Morris and K. Thompson. Password security: a case history. Communications of the ACM, 22:594--597, 1979. Google ScholarDigital Library
- C. Nodder: Users and trust: A microsoft case study. In L. F. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems that People Can Use, August 2005.Google Scholar
- Kevin Purdy, post to lifehacker.com, Available at http://lifehacker.com/5431466/autocomplete-extension-makes-chrome-save-nearly-any-password, last accessed on 02/July/2011.Google Scholar
- Portable Firefox project, available at http://portablefirefox.mozdev.org/, last accessed on 02/July/2011.Google Scholar
- PTFB Pro Mouse AutoClicker and Macro Recorder, http://www.ptfbpro.com, last accessed on 02/July/2011.Google Scholar
- B.Ross: Firefox and the worry free web. In L.F. Cranor and S.Garfinkel, editors, Security and Usability: Designing Secure Systems that People Can Use, August 2005.Google Scholar
- Brent Strange, Password harvesting with AutoComplete, available at http://www.testingreflections.com/node/view/3482, last accessed on 02/July/2011.Google Scholar
- Usage share of web browsers, http://en.wikipedia.org/wiki/Usage_share_of_web_browsersGoogle Scholar
- Walker News, Why IE8 Displays Security Warning When Loading HTTPS Page?, http://www.walkernews.net/2009/10/19/why-ie8-displays-security-warning-when-loading-https-page/.Google Scholar
- Alma Whitten and J. D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In 8th USENIX Security Symposium, pages 169 -- 184. Usenix, 1999. Google ScholarDigital Library
- Windows XP, http://en.wikipedia.org/wiki/Windows_XPGoogle Scholar
Index Terms
- Johnny in internet café: user study and exploration of password autocomplete in web browsers
Recommendations
Let's Go in for a Closer Look: Observing Passwords in Their Natural Habitat
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityText passwords---a frequent vector for account compromise, yet still ubiquitous---have been studied for decades by researchers attempting to determine how to coerce users to create passwords that are hard for attackers to guess but still easy for users ...
SIGCHI Outstanding Dissertation Award -- Supporting Password Decisions with Data
CHI EA '18: Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing SystemsAbstract Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make passwords. Users frequently create passwords that are predictable for attackers [1, 9] or make other decisions (e.g., ...
Helping users create and remember more secure text passwords
BCS-HCI '08: Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 2This doctoral research aims to persuade users to choose and remember more secure text passwords. The first component involved user studies demonstrating that users can be persuaded to create more secure text passwords. Unfortunately, the stronger ...
Comments