joseph bonneau soren preibusch¨ - semantic scholar · thanks for using your ticketmaster account....
TRANSCRIPT
![Page 1: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/1.jpg)
The password thicket:technical and market failures in human
authentication on the web
Joseph Bonneau Soren Preibusch{jcb82,sdp36}@cl.cam.ac.uk
Computer Laboratory
WEIS 2010The Ninth Workshop on the Economics of Information Security
Boston, MA, USAJune 7, 2010
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 1 / 28
![Page 2: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/2.jpg)
Password authentication is losing viability
Twitter hackJuly 2009
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28
![Page 3: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/3.jpg)
Password authentication is losing viability
RockYou SQL injection hackJanuary 2010
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28
![Page 4: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/4.jpg)
Password authentication is losing viability
Zuckerberg e-mail hacking2005
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28
![Page 5: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/5.jpg)
Password authentication is losing viability
Twitter mass resetFebruary 2010
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28
![Page 6: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/6.jpg)
A thicket 30 years in the making
We’ve conducted experiments to try to determine typicalusers’ habits in the choice of passwords . . . The results weredisappointing, except to the bad guy.
—Morris and Thompson, 1979
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 3 / 28
![Page 7: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/7.jpg)
Conventional wisdom is gloomy
1 Users can’t managere-useweak passwordspost-it notessharing
2 Free alternatives hardgraphicalcognitive
3 2-factor too expensivehardware tokensclient certssmartphone
4 Single sign-on limited
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28
![Page 8: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/8.jpg)
Conventional wisdom is gloomy
1 Users can’t managere-useweak passwordspost-it notessharing
2 Free alternatives hardgraphicalcognitive
3 2-factor too expensivehardware tokensclient certssmartphone
4 Single sign-on limitedPassfaces
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28
![Page 9: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/9.jpg)
Conventional wisdom is gloomy
1 Users can’t managere-useweak passwordspost-it notessharing
2 Free alternatives hardgraphicalcognitive
3 2-factor too expensivehardware tokensclient certssmartphone
4 Single sign-on limited Cronto
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28
![Page 10: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/10.jpg)
Conventional wisdom is gloomy
1 Users can’t managere-useweak passwordspost-it notessharing
2 Free alternatives hardgraphicalcognitive
3 2-factor too expensivehardware tokensclient certssmartphone
4 Single sign-on limited
OpenID/OAuth stack
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28
![Page 11: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/11.jpg)
Password collection remains ubiquitous
8 Preibusch, Bonneau
0%
20%
40%
60%
80%
100%
0 100 200 300 400 500 600 700 800 900
prevention of password sharing amongst top US sites
sites collecting passwords
sites blocking password sharing
Figure 1. Proportion of sites collecting passwords and amongst these of sites blocking passwordsharing. Ratios given for top k US sites with k up to 900. Bumps are artefacts of the increasingwindow size for the arithmetic mean.
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 5 / 28
![Page 12: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/12.jpg)
Supply side of the market remains poorly understood
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 6 / 28
![Page 13: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/13.jpg)
Coarse classification of password deployment cases
Identity
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28
![Page 14: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/14.jpg)
Coarse classification of password deployment cases
E-commerce
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28
![Page 15: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/15.jpg)
Coarse classification of password deployment cases
Content
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28
![Page 16: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/16.jpg)
Random study sample designed for depth, breadth
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 8 / 28
![Page 17: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/17.jpg)
Site classification allows for feature overlap
Feature I E C Tot.
News displayed 15 0 49 64Products for sale 4 50 1 55Payment details stored 7 30 2 39Social networking 28 1 2 31Premium accounts available 17 3 8 28Email accounts provided 17 0 2 19Discussion forums 16 1 2 19
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 9 / 28
![Page 18: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/18.jpg)
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
![Page 19: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/19.jpg)
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing
IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
![Page 20: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/20.jpg)
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing
IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
![Page 21: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/21.jpg)
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing
IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
![Page 22: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/22.jpg)
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing
IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
![Page 23: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/23.jpg)
Semi-automated human-in-the-loop evaluation
Mozilla Firefox v 3.5.8 with:
Autofill Forms 0.9.5.2CipherFox 2.3.0Cookie Monster 0.98.0DOM Inspector 2.0.4Greasemonkey0.8.20100211.5Screengrab 0.96.2Tamper Data 11.0.1
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 11 / 28
![Page 24: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/24.jpg)
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 11 / 28
![Page 25: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/25.jpg)
User experience varies considerably
WSJ 1996 WSJ 2010
Bare-bones password entry is universalAdvice rare and inconsistent
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
![Page 26: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/26.jpg)
User experience varies considerably
Advice I E C Tot.
Use digits 9 6 3 18Use symbols 9 2 3 14Graphical strength indicator 9 0 2 11Difficult to guess 5 2 2 9Not a dictionary word 6 0 2 8Change regularly 4 0 1 5
Any 18 8 7 33
Bare-bones password entry is universalAdvice rare and inconsistent
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
![Page 27: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/27.jpg)
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
![Page 28: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/28.jpg)
TLS deployment sparse and inconsistent
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
![Page 29: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/29.jpg)
TLS deployment sparse and inconsistent
TLS Deployment I E C Tot.
Full 10 39 10 59Full/POST 3 1 1 5Inconsistent 14 6 5 25None 23 4 34 61
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
![Page 30: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/30.jpg)
No standard for password length
1 2 3 4 5 6 7 8Password length n
0.0
0.2
0.4
0.6
0.8
1.0Pr
opor
tion
ofsi
tes
acce
ptin
gpa
ssw
ords
ofle
ngth
nIdentity sitesE-commerce sitesContent sitesPayment sitesPremium sitesAll sites
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
![Page 31: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/31.jpg)
No standard for password recovery
Dear Joseph Bonneau,
You requested us to send you your EasyChair logininformation. Please use the following data to log in toEasyChair:
User name: jbonneauPassword: –––––
Best regards,EasyChair Messenger.
EasyChair (not surveyed)
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
![Page 32: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/32.jpg)
No standard for password recovery
Hello, jbonneau:
Thanks for using your Ticketmaster account.
This is a temporary password: ––-Use this temporary password to login and reset yourpassword again.
We hope you enjoy using your account!
Thanks,The Ticketmaster Team
Ticketmaster
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
![Page 33: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/33.jpg)
No standard for password recovery
Hi jbonneau,
Someone requested that your Last.fm password be reset.If this wasn’t you, there’s nothing to worry about -simply ignore this email and nothing will change.
If you DID ask to reset the password on your Last.fmaccount, just click here to make it happen:http://www.last.fm/?id=<userid>&key=<authentication-token>
Best Regards,The Last.fm Team
Last.fm
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
![Page 34: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/34.jpg)
No standard for password recovery
Recovery Mechanism I E C Tot.
Email only 32 42 46 120Email plus personal knowledge 11 4 3 18Personal knowledge only 5 2 1 8None available 2 2 0 4
Email contents
Original password (cleartext) 5 14 17 36Temporary password 11 15 12 38Reset link 29 18 20 67
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 15 / 28
![Page 35: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/35.jpg)
Password guessing rarely prevented
Truthdig
TimeoutLockout/forced resetCAPTCHA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 15 / 28
![Page 36: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/36.jpg)
Password guessing rarely prevented
Cafe Press
TimeoutLockout/forced resetCAPTCHA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
![Page 37: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/37.jpg)
Password guessing rarely prevented
Wikipedia
TimeoutLockout/forced resetCAPTCHA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
![Page 38: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/38.jpg)
Password guessing rarely prevented
countermeasure I E C Tot.
CAPTCHA 11 2 1 14timeout 2 1 2 5reset 1 3 1 5none 37 43 46 126
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
![Page 39: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/39.jpg)
Password guessing rarely prevented
limit I E C Tot.
3 3 0 0 34 1 1 0 25 3 2 4 96 2 2 0 47 1 0 0 1
10 2 0 0 215 1 0 0 120 0 1 0 125 1 0 0 1
> 100 37 43 46 126
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
![Page 40: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/40.jpg)
User probing prevention rarely complete
EnrolmentLoginRecovery
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
![Page 41: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/41.jpg)
User probing prevention rarely complete
Ask
EnrolmentLoginRecovery
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
![Page 42: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/42.jpg)
User probing prevention rarely complete
Zappos!
EnrolmentLoginRecovery
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
![Page 43: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/43.jpg)
User probing prevention rarely complete
interface I E C Tot.
enrolment 4 1 1 6login 43 41 38 132reset 11 7 2 20
all 1 1 0 2
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
![Page 44: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/44.jpg)
10-dimensional password security policies
feature cardinality
Enrolment email contents 8Password advice 16Minimum password length 8Password requirements 16Federated login support 8Password update 8Password recovery mechanism 8Brute force restrictions 4User probing restricted 12TLS deployment 4
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
![Page 45: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/45.jpg)
Most sites re-inventing the wheel
Uniqueness radius % of sites
0 100.01 90.62 56.03 24.04 7.35 1.36 0.0
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 15 / 28
![Page 46: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/46.jpg)
Security-conscious sites are pioneers
0 1 2 3 4 5 6 7 8 9 10
No TLS, no password requirements, cleartext passwords emailed, no guessing or user probing restrictions, email addresses verified
No TLS, no password requirements or advice, emailed temp. passwords for reset, no password advice, no guessing or user probing restrictions, email addresses verified
TLS deployed, 6 char. min. password, emailed reset links, no password advice, no guessing or user probing restrictions, email addresses not verified
No TLS, 6 char. min. password, personal knowledge questions for reset, no password advice, no guessing or user probing restrictions, email addresses verified
TLS deployed, 6 char. min. password, emailed reset links, no password advice, guessing restrictions in place, email addresses verified
Sac. Bee
philly.com
Nashv. Scene
Victoria’s S. $
Macy’s $
eBooks
Huff. Post
USA Today
Ask Jeeves
TalkBizNow
EmailAccount Topeka C.-J.PhotoBucket $
Mail2WorldCanada.com
Mail.com StumbleUpon
Football Fan.
Indian Express
Fertility Fr.
CD Wow
Milwaukee J. S.
Florida-Times U.
The Pirate Bay
SoftHome
The Guardian
TCPalm
SF Chronicle
LiveMocha
Last.fm
The Drum
NY Times
Forbes
Truthdig
The Tennessean
The Courier-J.
PhillyBurbs
Lincoln J. S.
AOL Children’s Place $Xanga ESPN
Ticket Web $ TicketMaster $
Gap $ Barnes & Noble $ IMDB
Art Beads
Sus. Bus.
Seattle Weekly
New York Post
Ft. Worth S.-T.
Spiegel $
Shoplet
Blick
Weather Und.
Fin. Times $
Dallas M. N.
CBS Sports
Bodybuilding $
3Dup
Two Peas in a B.
Weather Channel
Post-Tribune
Orlando Sent.
Miami.com
LA Times
Houston Chron.
Chicago Trib.
Wasabi
Sonico
hi5
Gawab
Rand McNally
Oriental Trad.
Hermes
Frederick’s $
Anthropologie $
The Economist
SJ Mercury News
CNN
CNET
Bill O’Reilly
ResearchGate
aNobii
Sierra T. P. $
Lucky Vitamin
efollet.com
Eddie Bauer
Costco $
A. & Fitch
Times Online
Press-Telegram
Bloomberg
Swiss Mail
Plaxo
Zappos! $
REI $
Overstock $
Home Depot $
DVD Empire $
Build-A-Bear W.
Best Buy $
Bath & Body W.
Reuters $
Walmart $
Things Rem.
Target $
ShopBop $
Sephora $
Sears $
NewEgg $
Horchow $
Amazon $
ZZ Network TigerDirect $ rediffTimes of India
On The Snow
Topix Ass. Cont. Twitter
W. S. JournalLinkedIn
DiggCraigslistDeviant Art $
Hushmail
Fairfax Dig.
Cafe Press $
MS Live
Wordpress Wash. Post
Yahoo!
Ebay $
Mixx Wikipedia
LiveJournal $
CNBC
Facebook $
Gamespot
AliBaba $
Google $
MySpace
IKEA
Godmail
JCPenney $
Buy.com $
The Golf World
Legend
Identity site
E-commerce site
Content site
Payment $
Cluster of sites
score
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 16 / 28
![Page 47: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/47.jpg)
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 16 / 28
![Page 48: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/48.jpg)
10-point aggregate password score used for analysis
feature scoring
enrolmentPassword selection advice given +1 ptMinimum password length required +1 ptDictionary words prohibited +1 ptNumbers or symbols required +1 ptUser list protected from probing +1 ptCleartext password sent in email after enrolment −1 pt
loginPassword hashed in-browser before POST +1 ptLimits placed on password guessing +1 ptUser list protected from probing +1 ptFederated identity login accepted +1 pt
password updatePassword re-entry required to authorise update +1 ptNotification email sent after password reset +1 pt
password recoveryPassword update required after recovery +1 ptCleartext password sent in email upon request −1 ptUser list protected from probing +1 pt
encryptionFull TLS for all password submission +2 ptsPOST only TLS for password submission +1 pt
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 17 / 28
![Page 49: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/49.jpg)
More popular sites do better
0
10
1E-2 1E-1 1E+0 1E+1 1E+2 1E+3 1E+4 1E+5
pas
swo
rd s
core
page views per million
E-commerce News/Customization User interaction
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 18 / 28
![Page 50: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/50.jpg)
Popular, growing, competent sites are more secure
Pas
swor
dsc
ore
>m
edia
n
TLS
depl
oyed
corr
ectly
Gue
ssin
gat
tack
sre
stric
ted
Min
imum
pass
wor
dle
ngth
enfo
rced
Dic
tiona
ryw
ords
proh
ibite
d
Cle
arte
xtpa
ssw
ords
mai
led
Not
ifica
tion
ofpa
ssw
ord
rese
t
Em
ailv
erifi
edon
enro
lmen
t
CA
PTC
HA
requ
ired
onen
rolm
ent
Positive 3-mo. traffic change �� + ��� � + +Years online > 10 �� �� + � �Load time < med. � � � � − � ���
Traffic Rank > 25th %ile ��� � + + �� +Traffic Rank > med. ��� �� + ��� � � + +
Traffic Rank > 75th %ile ��� ��� � ��� � + ��� ��
Industry Traffic Rank > 25th %ile ��� + + � � +Industry Traffic Rank > med. ��� + ��� ��� ��� ��Industry Traffic Rank > 75th %ile ��� � �� � �� − �� +
Page Views > 25th %ile ��� �� ��Page Views > med. ��� �� + ��� � � + +
Page Views > 75th %ile ��� ��� + ��� �� � �� ���
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 19 / 28
![Page 51: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/51.jpg)
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 19 / 28
![Page 52: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/52.jpg)
Content sites provide the least security
0 2 4 6 8 10Password score n
0.0
0.2
0.4
0.6
0.8
1.0Pr
opor
tion
ofsi
tes
rece
ivin
ga
scor
e≥
nIdentity sitesE-commerce sitesContent sitesPayment sitesPremium sitesAll sites
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 20 / 28
![Page 53: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/53.jpg)
Payment-storing sites do it best
Pas
swor
dsc
ore
>m
edia
n
TLS
depl
oyed
corr
ectly
Gue
ssin
gat
tack
sre
stric
ted
Min
imum
pass
wor
dle
ngth
enfo
rced
Dic
tiona
ryw
ords
proh
ibite
d
Dig
its
Sym
bols
Cle
arte
xtpa
ssw
ords
mai
led
Not
ifica
tion
ofpa
ssw
ord
rese
t
Em
ailv
erifi
edon
enro
lmen
t
CA
PTC
HA
requ
ired
onen
rolm
ent
Identity segment + �� � ��� + � �� � ���E-commerce segment � ��� − − � ��� ���Content segment ��� ��� � � − � �� ��� −
Premium accounts offfered + − ��Payment details stored ��� ��� + + � ��� ��� −
E-mail provided + + �� − − ���Social networking features ��� �� − � � ��� ��
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 21 / 28
![Page 54: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/54.jpg)
Security policies vary far more than requirements
0 1 2 3 4 5 6 7 8 9 10
No TLS, no password requirements, cleartext passwords emailed, no guessing or user probing restrictions, email addresses verified
No TLS, no password requirements or advice, emailed temp. passwords for reset, no password advice, no guessing or user probing restrictions, email addresses verified
TLS deployed, 6 char. min. password, emailed reset links, no password advice, no guessing or user probing restrictions, email addresses not verified
No TLS, 6 char. min. password, personal knowledge questions for reset, no password advice, no guessing or user probing restrictions, email addresses verified
TLS deployed, 6 char. min. password, emailed reset links, no password advice, guessing restrictions in place, email addresses verified
Sac. Bee
philly.com
Nashv. Scene
Victoria’s S. $
Macy’s $
eBooks
Huff. Post
USA Today
Ask Jeeves
TalkBizNow
EmailAccount Topeka C.-J.PhotoBucket $
Mail2WorldCanada.com
Mail.com StumbleUpon
Football Fan.
Indian Express
Fertility Fr.
CD Wow
Milwaukee J. S.
Florida-Times U.
The Pirate Bay
SoftHome
The Guardian
TCPalm
SF Chronicle
LiveMocha
Last.fm
The Drum
NY Times
Forbes
Truthdig
The Tennessean
The Courier-J.
PhillyBurbs
Lincoln J. S.
AOL Children’s Place $Xanga ESPN
Ticket Web $ TicketMaster $
Gap $ Barnes & Noble $ IMDB
Art Beads
Sus. Bus.
Seattle Weekly
New York Post
Ft. Worth S.-T.
Spiegel $
Shoplet
Blick
Weather Und.
Fin. Times $
Dallas M. N.
CBS Sports
Bodybuilding $
3Dup
Two Peas in a B.
Weather Channel
Post-Tribune
Orlando Sent.
Miami.com
LA Times
Houston Chron.
Chicago Trib.
Wasabi
Sonico
hi5
Gawab
Rand McNally
Oriental Trad.
Hermes
Frederick’s $
Anthropologie $
The Economist
SJ Mercury News
CNN
CNET
Bill O’Reilly
ResearchGate
aNobii
Sierra T. P. $
Lucky Vitamin
efollet.com
Eddie Bauer
Costco $
A. & Fitch
Times Online
Press-Telegram
Bloomberg
Swiss Mail
Plaxo
Zappos! $
REI $
Overstock $
Home Depot $
DVD Empire $
Build-A-Bear W.
Best Buy $
Bath & Body W.
Reuters $
Walmart $
Things Rem.
Target $
ShopBop $
Sephora $
Sears $
NewEgg $
Horchow $
Amazon $
ZZ Network TigerDirect $ rediffTimes of India
On The Snow
Topix Ass. Cont. Twitter
W. S. JournalLinkedIn
DiggCraigslistDeviant Art $
Hushmail
Fairfax Dig.
Cafe Press $
MS Live
Wordpress Wash. Post
Yahoo!
Ebay $
Mixx Wikipedia
LiveJournal $
CNBC
Facebook $
Gamespot
AliBaba $
Google $
MySpace
IKEA
Godmail
JCPenney $
Buy.com $
The Golf World
Legend
Identity site
E-commerce site
Content site
Payment $
Cluster of sites
score
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 22 / 28
![Page 55: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/55.jpg)
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 22 / 28
![Page 56: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/56.jpg)
Content sites want email, marketing data
New York Times
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 23 / 28
![Page 57: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/57.jpg)
Content sites want email, marketing data
Data I E C Tot.
Email address 38 50 49 137Email verified 29 1 35 65Email updates offered 21 42 47 110
Postcode 15 30 34 79Mailing address 5 19 8 32Phone number 5 20 7 32Marketing data 4 6 13 23
Username 35 5 29 69
CAPTCHA 29 3 11 43
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 23 / 28
![Page 58: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/58.jpg)
Economic models
Password over-collection is a tragedy of the commonsPassword insecurity is a negative externality
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 24 / 28
![Page 59: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/59.jpg)
Economic models
Password over-collection is a tragedy of the commonsPassword insecurity is a negative externality
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 24 / 28
![Page 60: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/60.jpg)
Economic models
Password over-collection is a tragedy of the commonsPassword insecurity is a negative externality
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 24 / 28
![Page 61: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/61.jpg)
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
![Page 62: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/62.jpg)
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
![Page 63: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/63.jpg)
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
![Page 64: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/64.jpg)
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
![Page 65: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/65.jpg)
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
![Page 66: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/66.jpg)
Perspectives
Costco
It’s a thicket out thereThe market is failingPsychological barriers may exist
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 26 / 28
![Page 67: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/67.jpg)
Perspectives
It’s a thicket out thereThe market is failingPsychological barriers may exist
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 26 / 28
![Page 68: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/68.jpg)
Perspectives
It’s a thicket out thereThe market is failingPsychological barriers may exist
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 26 / 28
![Page 69: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/69.jpg)
OpenID to the rescue?
Mixx
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 27 / 28
![Page 70: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/70.jpg)
OpenID to the rescue?
Yahoo!
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 27 / 28
![Page 71: Joseph Bonneau Soren Preibusch¨ - Semantic Scholar · Thanks for using your Ticketmaster account. This is a temporary password: -Use this temporary password to login and reset your](https://reader036.vdocuments.net/reader036/viewer/2022071102/5fdb7eaaa73b9c37bb52c208/html5/thumbnails/71.jpg)
Questions?
[email protected]@cl.cam.ac.uk
Data available online:http://preibusch.de/publ/password-market
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 28 / 28