160428 do users' perceptions of password security match reality?
TRANSCRIPT
Do Users’ Perceptions of Password Security Match Reality?+ CHI 2016- Blase Ur et al./ 유혜수x 2016 Spring
2016-1 UX Labmeeting
Do Users’ Perceptions of Password Security Match Reality?
서울대학교 융합과학기술대학원사용자경험 연구실 유혜수
Blase Ur, Jonathan Bees, Sean M. Segreti, Lujo Bauer, Nicholas Christin, Lorrie Faith Cranor
Why this paper
Password Hacking
What’s special about this paper
2
quantitative research
predictability of user chosen passwords has been widely documented little research investigated on users’ perceptions of password security
security perception: think aloud protocol- qualitative 1
first study comparing users’ perceptions of the security of text passwords
Overview
Background
Research Question
Method
Conclusions
• users create predictable passwords BUT users don’t realize how predictable their passwords are
• 165 participation study of users’ perceptions of password security• Security & Memorability of passwords • Strategies for password creation & management
• relationship between users’ perceptions of the strength of specific passwords and their actual strength
• misconceptions about the impact of basing passwords on common phrases and including digits and keyboard patterns in passwords
• design directions for helping users make better passwords
• characteristics of strong & weak passwords should be leveraged to help users create stronger passwords
Background
Measuring Password Strength- 보통 사람들이 password strength 를 estimate 하는 방법은 제공된 password meter 이다 - 이러한 meters 들은 heuristic- based 이다
- 텍스트의 길이 혹은 숫자를 고려한것이므로 , 실제 password 의 strength 를 측정하지 않아서 문제이다
Accurate Password Strength Measurement- Guessability Metric
- Guess number - How many guesses a particular password cracking approach configured
Prior Work
본 연구에서는 ,
Recruitment
recruited on Amazon’s Mechanical turk (mTurk) platforms “research study about passwrod security”
Limitation • individual’s technical skills • younger & more technical (considering mTurk Population )
165 individuals Gender balanced (51% male)33 states out of 50 states 34.2 mean age (18-66 ages)
Methodology5 parts (30 mins total)
1 participants’ demographics (age + gender)security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security- given 2 similar passwords and rate secure passwords in 7 point scale +
free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of
words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)3Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords
411 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwordsfree text responses: Q QQQQ
Methodology5 parts (30 mins total)
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security- given 2 similar passwords and rate secure passwords in 7 point scale +
free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of
words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)3Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords
411 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwordsfree text responses: Q QQQQ
1 participants’ demographics (age + gender)security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security- given 2 similar passwords and rate secure passwords in 7 point scale +
free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of
words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
Methodology5 parts (30 mins total)
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security- given 2 similar passwords and rate secure passwords in 7 point scale +
free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of
words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)3Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords
411 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwordsfree text responses: Q QQQQ
1 participants’ demographics (age + gender)security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security- given 2 similar passwords and rate secure passwords in 7 point scale +
free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of
words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
2
Methodology5 parts (30 mins total)
1 participants’ demographics (age + gender)security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
411 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwordsfree text responses: Q QQQQ
Password Pairs 25 hypothese about how different password characteristics impact perceptions of security- given 2 similar passwords and rate secure passwords in 7 point scale +
free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of
words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
Methodology5 parts (30 mins total)
1 participants’ demographics (age + gender)security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
3Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
411 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwordsfree text responses: Q QQQQ
3Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
Analysis
Quantitative Qualitative
• Bonferroni method
• Wilcoxon Signed Rank Test
• Spearman’s rank corrleation coeffcient
• A mixed model ordinal regression
• One Coder • read all responses to a question • propose codes
• Second Coder• used annotated codebook to code the data
• participants’ strength ratings • relationship between security and memorability • 알파 0.05
• interpretate free text responses
per type of test
non parametic testH0 = true password rating = 0 = equally secure H1 = true rating is non zero
relationship between security & memorability forselected password analysis & password creation strategies
relationship between numerous independent variable (password legnth, # of digits) and participants’ ratings of password security & memorability
ResultsAttacker Model
- how the attackers are - how attackers guess passwords & how many guesses they took
ResultsWhy Attackers Guess Passwords
- why someone might try to guess their passwords
- “credit cards” (P3)- “banking information” (P30)
- financial motivations - thef of personal information
ResultsHow do attackers try to guess your passwords?
- why someone might try to guess their passwords
- large scale guessing attacks
- using sofrware/ algorithms techniques
Results
- Rating relative security of juxtapositions of 2 passwords- 25 hypothesis x 3 pairs = 75 pairs of passwords 를 통해 사람들의 password cracking approach 를 알아봄
Beneficial to Security
- 단어의 “앞” 보다 중간 단어를 대문자 하는것 - 패스워드의 “끝”이 아닌 중간에 숫자 혹은 심볼을 넣는것 - 특정한 년도나 연속적인 숫자를 쓰지말고 , 랜덤한 숫자 나열하는것- 숫자 대신 심볼쓰기 - 흔한 이름말고 사전의 단어를 쓰는것 - 개인적인 내용 ( 사촌의 이름 ) 피할것 - 계정과 관련되지 않는 단어를 쓸껏 ( 예 : 비밀번호를 “비번”이라고 정하지 않는다 )
Results
- PW1 & PW2 equivalent in strength
- (bonferroni corrected) p value
- p value: participants tended to rate 1 password more secure
- secure
- Guess Number- how many times stronger PW2 was
than PW 1
Participants’ perceptions of relative security of passwords differed from actual security
Security calculus10^610^14
Results- PW1 & PW2 equivalent in
strength
- (bonferroni corrected) p value
- p value: participants tended to rate 1 password more secure
- Misconceptions - Adding digits make a password more
secure than only using letters- brooklyn16 &
astley 123 >>> brooklynqy & astleyabc
- Substitute digits or symbols for letters - punk4life >>> punkforlife - p@ssw0rd >>> pAsswOrd
- overestimate the security of keyboard patterns - 1qaz2wsx3edc >>> thefirstkiss - qwertyuiop >>> bradybunch
- 오해라서 반대로 생각해야함
- misjudge the popularity of particular words & phrases - ilovekale88 >>> iloveyou88
ResultsPerceptions of the security & memorability of strategies
- 1-7 scale ( 7 darker colors —> very secure, very easy to remember)
안전함 외우기 쉬움- Spearman’s p to find correlation between security & memorability ratings
ResultsPerceptions of the security & memorability of strategies
- 1-7 scale ( 7 darker colors —> very secure, very easy to remember)
안전함 외우기 쉬움
- Password reuse: wholly insecure yet memorable
- song lyrics & relevant dates = memorable but insecure
- Trade off: security vs. memorability
Discussionfirst study comparing users’ perceptions of the security of text passwords
participants’ perceptions of what characteristics make a password more secure
participants have critical misunderstanding - overestimated the beneifts of adding digits to password - underestimate the predictability of keyboard patterns & common phrases
current password- strength meters only tell users if password is weak or strong
1
2
3