A Usability Study and Critique of Two Password Managers Robert - - PowerPoint PPT Presentation

A Usability Study and Critique of Two Password Managers

Robert Biddle

Presenter: Chi-Tsong Su

A Mysterious Letter

A man got a kick out of turning simple things into mysteries when composing a letter, though he was not good at all at writing. One day his father told him to write a letter to his brother and tell him four things:

• 1. A villager died not long ago.
• 2. The price of meat has gone up.
• 3. The household has employed a new accountant.
• 4. His brother's wife is going to have a baby.

When the son had finished, however, the letter read:“ A villager died not long ago. The meat sold for 179 silver coins. The household has employed a new accountant. My sister-in-law's belly is getting bigger and bigger.“ He soon got an angry answer from his brother: "Domestic shame should not be made public. How can the flesh of the dead be sold to others?"

How do you manage your passwords?

• Password Length
• Password Pattern
• Password Hygiene
• Password Redundancy
• How about passphrase?
• Since password management is a rising issue, we

necessarily use some methods to make it not easy to forget them and to be stolen by others

Don’t Make me Think!

• Is a short and very easy-to-read book by Steve Krug

about human computer interaction and web usability.

• A good program or website should let users

accomplish their intended tasks as easily and directly as possible

Problems

• Who needs to use password management software?

– General users with not many experiences on computers

• Two Password Managers

– PwdHash – Password Multiplier

• Problems

– Usability – Security Exposures – Inaccurate Mental Models

How does PwdHash work?

• PwdHash preserves the benefits of password

authentication such as mobility without any hardware

• requirements. Our primary design goals are not to

change to the user experience and not to require server-side changes

• Using a password starting with @@ or pressing F2

key before entering real a password, a user can set up hashed password by PwdHash. This can protect web site passwords against phishing attacks

How does Password-Multiplier work?

• Password-Multiplier

generate a protected password based on the master username, master passwords , and the target site domain name

• By double-clicking on the

password field or pressing Alt+P while the cursor is in that field, a user activate the plug-in Password-Multiplier

• Some examples

– PSU PSU – AmazonAmazon

It does encrypt passwords

Username Master Password IndividualP assword Domain Name Encrypted Password Patrick 123456789 12345678 Psu.edu Psu.edu Psu.edu2 Psu.edu2 Zm72lv4n Patrick 123456789 12345678 NG0NGgg3 Maxine psucse123 12345678 WOfSEYaJ Maxine psucse123 12345678 UOBmgNiW

Related Work

– User-centered security

• Including a cognitive walkthrough inspection analysis and a lab

user test of PGP5.0

– Graphical Passwords

• Focusing on security and poor user choices made by real users
• Memorability
• Recognition of images

– Secure Email Prototype

• Focusing on key continuity management feature

– Visibility

• Combining with transparency can enhance usability of some

security feature

Methodology and Results of PwdHash V.S. P-Multiplier

Result of Questionnaire Responses

Result of Problems Common to Both Systems

• Users were unsure about whether the systems were

correctly activated

• Users had misconception that they could activate the

password manager once and it remained active through their computer session

• Not upon their cursors was go into the password field,

the users trigger the programs

Critique

• Mental Model

– It should be obvious when a password has been protected – It should be obvious when the plug-in has been activated and is awaiting input – It should be clear how existing passwords are migrated – If something goes wrong, feedback should be short, understandable and reveal how to address – There should be a way for users to check which of their accounts are currently protected

• User Acceptance and View of Necessity

– Users should be educated about the importance of protecting passwords

Critique

• Criteria for Security Software to be Usable

– Be raliably made aware of the security task they must perform – Be ale to figure out how to successfully perform those tasks – Not make dangerous errors – Be sufficiently comfortable with the interface to continue using it – Be able to tell when their task their has been completed – Have sufficient feedback to accurately determine the current state of the system

Contribution

• Adding to the relatively sparse, albeit growing , set of

published usability studies in the security

• Carrying out an independent usability test of

PwdHash and Password Multiplier

• Suggestion about the over claim and result from the

earlier papers

• A issue arises for the usability tests necessary prior

to initialization of a new mechanism

My Critique on Password-Multiplier

• A user does not the difference master password and

individual password for a specific website

• What if you have multiple accounts in a website and

need to alternate between them very often?

• How could you endure that you have to install the

plug-in when you use a different computer?

• What if a user use a public email along with a simple

master password while installing P-Multiplier and a simple master password in a popular website? (e.g. chisu@cse.psu.edu+ 12345678 + 12345678 + amazon.com)

Take Away

• The beginning of software design needs the

participation of users

• As the software is put in practice, ONLY feedback

from the users can extend its life cycle

• Do we really need “Transparency” while using

software associated with security?

• Does this paper cover all the aspects of usability?

Future work

• Formative tests are conducted through the

development of the system to guide the development

• Summative test are used to gather performance data

and provide measure of usability

• Identification of specific mechanisms used for

complying with the guidelines and addressing the requirements

Thank You!