A Usability Study and Critique of Two Password Managers Robert Biddle Presenter: Chi-Tsong Su
A Mysterious Letter A man got a kick out of turning simple things into mysteries when composing a letter, though he was not good at all at writing. One day his father told him to write a letter to his brother and tell him four things: 1. A villager died not long ago. 2. The price of meat has gone up. 3. The household has employed a new accountant. 4. His brother's wife is going to have a baby. When the son had finished, however, the letter read:“ A villager died not long ago. The meat sold for 179 silver coins. The household has employed a new accountant. My sister-in-law's belly is getting bigger and bigger.“ He soon got an angry answer from his brother: "Domestic shame should not be made public. How can the flesh of the dead be sold to others?"
How do you manage your passwords? • Password Length • Password Pattern • Password Hygiene • Password Redundancy • How about passphrase? • Since password management is a rising issue, we necessarily use some methods to make it not easy to forget them and to be stolen by others
Don’t Make me Think! • Is a short and very easy-to-read book by Steve Krug about human computer interaction and web usability. • A good program or website should let users accomplish their intended tasks as easily and directly as possible
Problems • Who needs to use password management software? – General users with not many experiences on computers • Two Password Managers – PwdHash – Password Multiplier • Problems – Usability – Security Exposures – Inaccurate Mental Models
How does PwdHash work? • PwdHash preserves the benefits of password authentication such as mobility without any hardware requirements. Our primary design goals are not to change to the user experience and not to require server-side changes • Using a password starting with @@ or pressing F2 key before entering real a password, a user can set up hashed password by PwdHash. This can protect web site passwords against phishing attacks
How does Password-Multiplier work? • Password-Multiplier generate a protected password based on the master username, master passwords , and the target site domain name • By double-clicking on the password field or pressing Alt+P while the cursor is in that field, a user activate the plug-in Password-Multiplier • Some examples – PSU PSU – AmazonAmazon
It does encrypt passwords Username Master IndividualP Domain Encrypted Password assword Name Password Patrick 123456789 12345678 Psu.edu Zm72lv4n Patrick 123456789 12345678 Psu.edu NG0NGgg3 Maxine psucse123 12345678 Psu.edu2 WOfSEYaJ Maxine psucse123 12345678 Psu.edu2 UOBmgNiW
Related Work – User-centered security • Including a cognitive walkthrough inspection analysis and a lab user test of PGP5.0 – Graphical Passwords • Focusing on security and poor user choices made by real users • Memorability • Recognition of images – Secure Email Prototype • Focusing on key continuity management feature – Visibility • Combining with transparency can enhance usability of some security feature
Methodology and Results of PwdHash V.S. P-Multiplier
Result of Questionnaire Responses
Result of Problems Common to Both Systems • Users were unsure about whether the systems were correctly activated • Users had misconception that they could activate the password manager once and it remained active through their computer session • Not upon their cursors was go into the password field, the users trigger the programs
Critique • Mental Model – It should be obvious when a password has been protected – It should be obvious when the plug-in has been activated and is awaiting input – It should be clear how existing passwords are migrated – If something goes wrong, feedback should be short, understandable and reveal how to address – There should be a way for users to check which of their accounts are currently protected • User Acceptance and View of Necessity – Users should be educated about the importance of protecting passwords
Critique • Criteria for Security Software to be Usable – Be raliably made aware of the security task they must perform – Be ale to figure out how to successfully perform those tasks – Not make dangerous errors – Be sufficiently comfortable with the interface to continue using it – Be able to tell when their task their has been completed – Have sufficient feedback to accurately determine the current state of the system
Contribution • Adding to the relatively sparse, albeit growing , set of published usability studies in the security • Carrying out an independent usability test of PwdHash and Password Multiplier • Suggestion about the over claim and result from the earlier papers • A issue arises for the usability tests necessary prior to initialization of a new mechanism
My Critique on Password-Multiplier • A user does not the difference master password and individual password for a specific website • What if you have multiple accounts in a website and need to alternate between them very often? • How could you endure that you have to install the plug-in when you use a different computer? • What if a user use a public email along with a simple master password while installing P-Multiplier and a simple master password in a popular website? (e.g. chisu@cse.psu.edu+ 12345678 + 12345678 + amazon.com)
Take Away • The beginning of software design needs the participation of users • As the software is put in practice, ONLY feedback from the users can extend its life cycle • Do we really need “Transparency” while using software associated with security? • Does this paper cover all the aspects of usability?
Future work • Formative tests are conducted through the development of the system to guide the development • Summative test are used to gather performance data and provide measure of usability • Identification of specific mechanisms used for complying with the guidelines and addressing the requirements
Thank You!
Recommend
More recommend
