skip to main content
10.1145/2590296.2590345acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
short-paper

YourPassword: applying feedback loops to improve security behavior of managing multiple passwords

Published: 04 June 2014 Publication History

Abstract

Various mechanisms exist to secure users' passwords, yet users continue to struggle with the complexity of multiple password management. We explore the effectiveness of a feedback loop to improve users' password management. We introduce YourPassword, a web-based application that uses feedback to inform users about the security of their password behavior. YourPassword has two main components: a password behavior checker that converts password strengths into numerical scores and a dashboard interface that visualizes users' overall password behavior and provides visual feedback in real time. YourPassword not only provides a total score on all passwords, but also visualizes when passwords are too similar to each other. To test the efficacy of YourPassword, we conducted a between-subjects experiment and think-aloud test with 48 participants. Participants either had access to YourPassword, an existing commercial password checker, or no password tool (control condition). YourPassword helped participants improve their password behavior as compared with the commercial tool or no tool.

References

[1]
A. Adams and M. A. Sasse. Users are not the Enemy. Communications of the ACM, December 1999.
[2]
J. Blocki, M. Blum, and A. Datta. Naturally Rehearsing Passwords. In Proceedings of ASIACRYPT, 2013.
[3]
J. Bonneau and S. Preibusch. The Password Thicket: Technical and Market Failures in Human Authentication on the Web. In Proceedings of WEIS, 2010.
[4]
W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic Authentication Guideline. Technical report, NIST, 2006.
[5]
C. Castelluccia, M. Durmuth, and D. Perito. Adaptive Password-Strength Meters from Markov Models. In Proceedings of NDSS, 2012.
[6]
A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. The Tangled Web of Password Reuse. In Proceedings of NDSS, 2014.
[7]
M. Dell'Amico, P. Michiardi, and Y. Roudier. Password Strength: An Empirical Analysis. In Proceedings of INFOCOM, 2010.
[8]
S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov, and C. Herley. Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection. In Proceedings of CHI, 2013.
[9]
D. Florencio and C. Herley. A Large-Scale Study of Web Password Habits. In Proceedings of WWW, 2007.
[10]
S. Gaw and E. W. Felten. Password Management Strategies for Online Accounts. In Proceedings of SOUPS, 2006.
[11]
T. Goetz. Harnessing the Power of Feedback Loops. Wired Magazine, June 2011.
[12]
P. Inglesant and M. A. Sasse. The True Cost of Unusable Password Policies: Password Use in the Wild. In Proceedings of CHI, 2010.
[13]
P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking alrogithms. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.
[14]
A. Narayanan and V. Shmatikov. Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In Proceedings of CCS, 2005.
[15]
B. Prince. Twitter Details Phishing Attacks Behind Password Reset. eWeek, January 2010.
[16]
R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy. Improving Computer Security for Authentication of Users: Influence of Proactive Password Restrictions. Behavior Research Methods, Instruments, & Computers, 2002.
[17]
R. Shay and E. Bertino. A Comprehensive Simulation Tool for the Analysis of Password Policies. International journal of Information Security, 2009.
[18]
R. Shay, A. Bhargav-Spantzel, and E. Bertino. Password Policy Simulation and Analysis. In Proceedings of ACM Workshop on Digital Identity Management, 2007.
[19]
J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton. Analysis of End User Security Behaviors. Computer & Security, 2005.
[20]
B. Ur, P. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proceedings of USENIX, 2012.
[21]
A. Vance. If your Password is 123456, Just Make It HackMe. The New York Times, January 2010.
[22]
K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, J. Cook, and E. E. Schultz. Improving Password Security and Memorability to Protect Personal and Organizational Information. International Journal of Human-Computer Studies, 2007.
[23]
M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password Cracking using Probablistic Context-Free Grammars. In Proceedings of IEEE Symposium on Security and Privacy, 2009.
[24]
Y. Zhang, F. Monrose, and M. K. Reiter. The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. In Proceedings of CCS, 2010.

Cited By

View all
  • (2022)Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password informationBehaviour & Information Technology10.1080/0144929X.2022.204238442:6(700-743)Online publication date: 1-Mar-2022
  • (2019)Using Gamification to Improve Information Security Behavior: A Password Strength ExperimentInformation Security Education. Education in Proactive Information Security10.1007/978-3-030-23451-5_12(157-169)Online publication date: 19-Jun-2019
  • (2016)Blind Password Registration for Verifier-based PAKEProceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography10.1145/2898420.2898424(39-48)Online publication date: 30-May-2016

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications security
June 2014
556 pages
ISBN:9781450328005
DOI:10.1145/2590296
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. authentication
  2. feedback loops
  3. password management

Qualifiers

  • Short-paper

Funding Sources

Conference

ASIA CCS '14
Sponsor:

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)7
  • Downloads (Last 6 weeks)1
Reflects downloads up to 27 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password informationBehaviour & Information Technology10.1080/0144929X.2022.204238442:6(700-743)Online publication date: 1-Mar-2022
  • (2019)Using Gamification to Improve Information Security Behavior: A Password Strength ExperimentInformation Security Education. Education in Proactive Information Security10.1007/978-3-030-23451-5_12(157-169)Online publication date: 19-Jun-2019
  • (2016)Blind Password Registration for Verifier-based PAKEProceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography10.1145/2898420.2898424(39-48)Online publication date: 30-May-2016

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media