“I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because...
Transcript of “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because...
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor
“I Added ‘!’ at the End to Make It Secure”:Observing Password Creation in the Lab
2
3
4
5
6
7
8
password
9
ilovebillyC$1
10
ilovebillyC$1
11
ilovebillyC$1
12
AfNaHiLoco
13
AfNaHiLoco
Goals
• Understand precisely how people make passwords
In-lab, think-aloud protocol
14
Goals
• Understand precisely how people make passwords
In-lab, think-aloud protocol
• How users assign value to accounts
15
Goals
• Understand precisely how people make passwords
In-lab, think-aloud protocol
• How users assign value to accounts
• Users’ password-creation processes
16
Goals
• Understand precisely how people make passwords
In-lab, think-aloud protocol
• How users assign value to accounts
• Users’ password-creation processes
• “Microdecisions” users think add security
17
Methodology
• 49-participant lab study
18
Methodology
• 49-participant lab study
• Recruited using flyers / Craigslist
19
Methodology
• 49-participant lab study
• Recruited using flyers / Craigslist
• 45 – 60 minutes, compensated $25
20
Methodology
• Think aloud while creating 3 passwords:
21
Methodology
• Think aloud while creating 3 passwords:
22
Methodology
• Think aloud while creating 3 passwords:
23
Methodology
• Think aloud while creating 3 passwords:
24
Methodology
• Follow-up questions to understand why
25
Methodology
• Follow-up questions to understand why
• Questions about general strategies
26
Methodology
• Follow-up questions to understand why
• Questions about general strategies
• Following distraction task, recall password
27
Security Metric: Guessability
• Guessability – how many guesses to crack?
Threat model: large-scale guessing
28
Security Metric: Guessability
• Guessability – how many guesses to crack?
Threat model: large-scale guessing
• 1014 guesses using Hashcat
29
Security Metric: Guessability
• Guessability – how many guesses to crack?
Threat model: large-scale guessing
• 1014 guesses using Hashcat
• User-specific and site-specific attacks
30
Qualitative Analysis
• Based on affinity diagramming
31
Qualitative Analysis
• Based on affinity diagramming
Collaboratively grouped 546 behaviors / strategies
32
Qualitative Analysis
• Based on affinity diagramming
Collaboratively grouped 546 behaviors / strategies
• 25 broad themes
122 distinct behaviors
33
Limitations
• Small-scale, non-representative sample
• Limited ecological validity
Only one use of passwords
Test recall in same session
34
Results Outline
• Overview of participants
• Overview of passwords
• Security levels
• Strategies
35
Participants
• 49 participants
21 male
28 female
36
Participants
• 49 participants
21 male
28 female
• Variety of occupations
24 students
16 employed
9 unemployed/retired
37
Participants
• 49 participants
21 male
28 female
• Variety of occupations
24 students
16 employed
9 unemployed/retired
• Mean age 31 (median 24)
38
Passwords
39
Passwords
• Transformed (Fahl et al., SOUPS 2013)
40
Passwords
• Transformed (Fahl et al., SOUPS 2013)
• 6 passwords trivially guessable
gabriel, Password1!
41
Passwords
• Transformed (Fahl et al., SOUPS 2013)
• 6 passwords trivially guessable
gabriel, Password1!
• Half of passwords guessed
e.g., Tyrone1975, Gandalf*8, Triptrip1963
42
Passwords
• Transformed (Fahl et al., SOUPS 2013)
• 6 passwords trivially guessable
gabriel, Password1!
• Half of passwords guessed
e.g., Tyrone1975, Gandalf*8, Triptrip1963
• Half of passwords secure
e.g., 5cupsoftoys, AfNaHiLoco, 7301Poplarblvd$
43
Security Levels
44
Security Levels
• 21 participants considered sites equal value
45
Security Levels
• 21 participants considered sites equal value
• Struggled matching password to security level
46
Security Levels
• 21 participants considered sites equal value
• Struggled matching password to security level
P6’s high-value passwords both guessed
47
Security Levels
• 21 participants considered sites equal value
• Struggled matching password to security level
P6’s high-value passwords both guessed
• Creating a password “stresses me out…I know I want a really strong password. Thinking through how I want to create that is tough.” (P18)
48
Strategies
49
Base password on site
50
Base password on site
• Insecure banking password
51
+Money369
Base password on site
• Insecure banking password
52
+Money369
Base password on site
• Insecure banking password
53
+Money369
Base password on site
• Secure news password
54
LEFTbrown8!
Base password on site
• Secure news password
55
LEFTbrown8!
Base password on site
• Secure news password
56
LEFTbrown8!
Base password on site
• Secure news password
57
LEFTbrown8!
Knew to avoid dictionary words
58
Knew to avoid dictionary words
• Insecure keyboard patterns
59
1Qazxsw2
Knew to avoid dictionary words
• Secure (believed insecure)
60
junglesalmon711
Knew to avoid dictionary words
• Secure (and believed secure)
61
Rjunglesalmon711@$
Build password around phrase
62
Build password around phrase
• Insecure
63
ilove1sttrust!
Build password around phrase
• Secure
64
AfNaHiLoco
Build password around phrase
• Secure
65
AfNaHiLoco
Afraid of the Native HipstersLoopily Coding
Build password around phrase
• Be the change because “someone wouldn’t think it necessarily applies to me” (P17)
66
Digits and symbols make it secure
• Insecure
67
Tyrone
Digits and symbols make it secure
• Insecure (believed secure)
“Security is required for a bank account” (P37)
68
Tyrone1975
Digits and symbols make it secure
• “I added ‘!’ at the end to make it secure.” (P45)
69
Misunderstanding attackers
70
Misunderstanding attackers
• Mahavishnu Orchestra is secure because “this band name is hard to spell” (P2)
71
Misunderstanding attackers
• Mahavishnu Orchestra is secure because “this band name is hard to spell” (P2)
• Goldie: “hackers cannot guess [it] because I have no pictures of him on my Facebook account.” (P7)
72
Conclusions
• Users had process, yet many misconceptions
73
Conclusions
• Users had process, yet many misconceptions
74
Conclusions
• Users had process, yet many misconceptions
75
Conclusions
• Users had process, yet many misconceptions
76
Future Directions
77
Future Directions
• Help users assign value to accounts
78
Future Directions
• Help users assign value to accounts
• Promote secure creation processes
79
Future Directions
• Help users assign value to accounts
• Promote secure creation processes
• Data-driven tools
80
81
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor
“I Added ‘!’ at the End to Make It Secure”:Observing Password Creation in the Lab
PasswordGuessability
Service