160428 Do Users' Perceptions of Password Security Match Reality?

Do Users’ Perceptions of Password Security Match Reality?+ CHI 2016- Blase Ur et al./ 유혜수x 2016 Spring

2016-1 UX Labmeeting

Do Users’ Perceptions of Password Security Match Reality?

서울대학교 융합과학기술대학원사용자경험 연구실 유혜수

Blase Ur, Jonathan Bees, Sean M. Segreti, Lujo Bauer, Nicholas Christin, Lorrie Faith Cranor

Why this paper

Password Hacking

What’s special about this paper

2

quantitative research

predictability of user chosen passwords has been widely documented little research investigated on users’ perceptions of password security

security perception: think aloud protocol- qualitative 1

first study comparing users’ perceptions of the security of text passwords

Why this paper

Why this paper

Why this paper

Why this paper

Why this paper

Why this paper

About Author

✓ Ph.D. Student, CS @ CMU ✓ Security and Privacy, HCI

Blase Ur [Blazer]

Overview

Background

Research Question

Method

Conclusions

• users create predictable passwords BUT users don’t realize how predictable their passwords are

• 165 participation study of users’ perceptions of password security• Security & Memorability of passwords • Strategies for password creation & management

• relationship between users’ perceptions of the strength of specific passwords and their actual strength

• misconceptions about the impact of basing passwords on common phrases and including digits and keyboard patterns in passwords

• design directions for helping users make better passwords

• characteristics of strong & weak passwords should be leveraged to help users create stronger passwords

Background

Measuring Password Strength- 보통 사람들이 password strength 를 estimate 하는 방법은 제공된 password meter 이다 - 이러한 meters 들은 heuristic- based 이다

- 텍스트의 길이 혹은 숫자를 고려한것이므로 , 실제 password 의 strength 를 측정하지 않아서 문제이다

Accurate Password Strength Measurement- Guessability Metric

- Guess number - How many guesses a particular password cracking approach configured

Prior Work

본 연구에서는 ,

Recruitment

recruited on Amazon’s Mechanical turk (mTurk) platforms “research study about passwrod security”

Limitation • individual’s technical skills • younger & more technical (considering mTurk Population )

165 individuals Gender balanced (51% male)33 states out of 50 states 34.2 mean age (18-66 ages)

Methodology5 parts (30 mins total)

1 participants’ demographics (age + gender)security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem

2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security- given 2 similar passwords and rate secure passwords in 7 point scale +

free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of

words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)3Selected- password analysis

rate participants’ opinion of the security & memomorability of 20 passwords

411 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords

5 participants’ impressions & understanding of attackers who might try to guess their passwordsfree text responses: Q QQQQ











words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)












2





Password Pairs 25 hypothese about how different password characteristics impact perceptions of security- given 2 similar passwords and rate secure passwords in 7 point scale +



3Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords







Analysis

Quantitative Qualitative

• Bonferroni method

• Wilcoxon Signed Rank Test

• Spearman’s rank corrleation coeffcient

• A mixed model ordinal regression

• One Coder • read all responses to a question • propose codes

• Second Coder• used annotated codebook to code the data

• participants’ strength ratings • relationship between security and memorability • 알파 0.05

• interpretate free text responses

per type of test

non parametic testH0 = true password rating = 0 = equally secure H1 = true rating is non zero

relationship between security & memorability forselected password analysis & password creation strategies

relationship between numerous independent variable (password legnth, # of digits) and participants’ ratings of password security & memorability

ResultsAttacker Model

- how the attackers are - how attackers guess passwords & how many guesses they took

ResultsWhy Attackers Guess Passwords

- why someone might try to guess their passwords

- “credit cards” (P3)- “banking information” (P30)

- financial motivations - thef of personal information

ResultsHow do attackers try to guess your passwords?

- why someone might try to guess their passwords

- large scale guessing attacks

- using sofrware/ algorithms techniques

Results

- Rating relative security of juxtapositions of 2 passwords- 25 hypothesis x 3 pairs = 75 pairs of passwords 를 통해 사람들의 password cracking approach 를 알아봄

Beneficial to Security

- 단어의 “앞” 보다 중간 단어를 대문자 하는것 - 패스워드의 “끝”이 아닌 중간에 숫자 혹은 심볼을 넣는것 - 특정한 년도나 연속적인 숫자를 쓰지말고 , 랜덤한 숫자 나열하는것- 숫자 대신 심볼쓰기 - 흔한 이름말고 사전의 단어를 쓰는것 - 개인적인 내용 ( 사촌의 이름 ) 피할것 - 계정과 관련되지 않는 단어를 쓸껏 ( 예 : 비밀번호를 “비번”이라고 정하지 않는다 )

Results

- PW1 & PW2 equivalent in strength

- (bonferroni corrected) p value

- p value: participants tended to rate 1 password more secure

- secure

- Guess Number- how many times stronger PW2 was

than PW 1

Participants’ perceptions of relative security of passwords differed from actual security

Security calculus10^610^14

Results- PW1 & PW2 equivalent in

strength

- (bonferroni corrected) p value

- p value: participants tended to rate 1 password more secure

- Misconceptions - Adding digits make a password more

secure than only using letters- brooklyn16 &

astley 123 >>> brooklynqy & astleyabc

- Substitute digits or symbols for letters - punk4life >>> punkforlife - p@ssw0rd >>> pAsswOrd

- overestimate the security of keyboard patterns - 1qaz2wsx3edc >>> thefirstkiss - qwertyuiop >>> bradybunch

- 오해라서 반대로 생각해야함

- misjudge the popularity of particular words & phrases - ilovekale88 >>> iloveyou88

ResultsPerceptions of the security & memorability of strategies

- 1-7 scale ( 7 darker colors —> very secure, very easy to remember)

안전함 외우기 쉬움- Spearman’s p to find correlation between security & memorability ratings

ResultsPerceptions of the security & memorability of strategies

- 1-7 scale ( 7 darker colors —> very secure, very easy to remember)

안전함 외우기 쉬움

- Password reuse: wholly insecure yet memorable

- song lyrics & relevant dates = memorable but insecure

- Trade off: security vs. memorability

Discussionfirst study comparing users’ perceptions of the security of text passwords

participants’ perceptions of what characteristics make a password more secure

participants have critical misunderstanding - overestimated the beneifts of adding digits to password - underestimate the predictability of keyboard patterns & common phrases

current password- strength meters only tell users if password is weak or strong

1

2

3

End of Document

Thank You!

Internet

160428 Do Users' Perceptions of Password Security Match Reality?