a usability study and critique of two password managers
Post on 30-Dec-2015
22 Views
Preview:
DESCRIPTION
TRANSCRIPT
A Usability Study and Critique of Two Password Managers
Sonia Chiasson, PC van Oorschot ,
and Robert Biddle
Overview
• Introduce PwdHash and Password Multiplier
• Usability Testing
• Study Details and Results
• Lessons Learned - Usability
• Lessons Learned - Security
2/11
Password Managers
• Shift the burden of creating and remembering strong passwords away from users– easier for users– better protection
• eg. – PwdHash (USENIX Security 2005)– Password Multiplier(WWW2005)
3/11
PwdHash– @@ in front of passwords you
want to protect– potentially different user
passwords for each site
– one master password, only need to remember one password and it generates the others
– activate with Alt+P or double-clicking
Password Multiplier
hash(pwd, dom) = PRFpwd(dom)
V = fk1(username,master_pwd)
site_pwd=fk2(dom,master_pwd,V)
4/11
Usability Testing
• Is this usable? Are there problems?– Need to observe real users
• a few may not be enough
– Cannot just ask for users’ opinion
• “the user is not the weakest link – but your interface might be!”
5/11
Study Details• 26 participants
– various degree programs, only 4 with technical backgrounds
• data collection– observational data
• recording task outcomes, difficulties, obvious misconceptions, quotes
– questionnaire data• initial attitudes, opinion after each task, post questionnaires
• 5 tasks for each plug-in– balanced order– written instructions– think-aloud protocol
6/11
Task Completion ResultsSuccess Potentially Causing Security Exposures
Dangerous Success
Failures
Failure False Completion
Failed due to Previous
PwdHash
Log In 48% 44% 8% 0% N/A
Migrate Pwd 42% 35% 11% 11% N/A
Remote Login 27% 42% 31% 0% N/A
Update Pwd 19% 65% 8% 8% N/A
Second Login 52% 28% 4% 0% 16%
Password Multiplier
Log In 48% 44% 8% 0% N/A
Migrate Pwd 16% 32% 28% 20% N/A
Remote Login N/A N/A N/A N/A N/A
Update Pwd 16% 4% 44% 28% N/A
Second Login 16% 4% 16% 0% 16%
7/11
Questionnaire Responses
1
2
3
4
5
PerceivedSecurity
Giving Control Ease of Use PerceivedNecessity
PwdHash
PasswordMultiplier
neutral
positive
negative
8/11
Lessons Learned - Usability• activation
– “well I think it did something”– once is not enough
• lack of feedback, invisibility/transparency– complete tasks without activation
• frustration and misconceptions– gave up on tasks– how system deals with passwords
9/11
Lessons Learned - Security
• Usability problems lead to security vulnerabilities
• False sense of security
• Benefits rely on correct operation
10/11
Conclusion
• Usability is a concern because it can directly lead to security vulnerabilities
• Systems must be tested with real users– transparency not always good– must support users’ mental models
11/11
For more info:
http://www.scs.carleton.ca/~schiasso/
top related