160428
-
Upload
hyesoo-yoo -
Category
Internet
-
view
107 -
download
0
Transcript of 160428
![Page 1: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/1.jpg)
Do Users’ Perceptions of Password Security Match Reality? + CHI 2016 - Blase Ur et al. / 유혜수 x 2016 Spring
![Page 2: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/2.jpg)
2016-1 UX Labmeeting
Do Users’ Perceptions of Password Security Match Reality?
서울대학교 융합과학기술대학원사용자경험 연구실 유혜수
Blase Ur, Jonathan Bees, Sean M. Segreti, Lujo Bauer, Nicholas Christin, Lorrie Faith Cranor
![Page 3: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/3.jpg)
Why this paper
Password Hacking
What’s special about this paper
2
quantitative research
predictability of user chosen passwords has been widely documented
little research investigated on users’ perceptions of password security
security perception: think aloud protocol- qualitative
1
first study comparing users’ perceptions of the security of text passwords
![Page 4: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/4.jpg)
Why this paper
![Page 5: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/5.jpg)
Why this paper
![Page 6: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/6.jpg)
Why this paper
![Page 7: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/7.jpg)
Why this paper
![Page 8: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/8.jpg)
Why this paper
![Page 9: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/9.jpg)
Why this paper
![Page 10: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/10.jpg)
About Author
✓ Ph.D. Student, CS @ CMU ✓ Security and Privacy, HCI
Blase Ur [Blazer]
![Page 11: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/11.jpg)
Overview
Background
Research Question
Method
Conclusions
• users create predictable passwords BUT users don’t realize how predictable their passwords are
• 165 participation study of users’ perceptions of password security • Security & Memorability of passwords • Strategies for password creation & management
• relationship between users’ perceptions of the strength of specific passwords and their actual strength • misconceptions about the impact of basing passwords on common phrases and including digits and keyboard patterns in passwords
• design directions for helping users make better passwords
• characteristics of strong & weak passwords should be leveraged to help users create stronger passwords
![Page 12: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/12.jpg)
Background
Measuring Password Strength
- 보통 사람들이 password strength를 estimate 하는 방법은 제공된 password meter이다
- 이러한 meters들은 heuristic- based이다
- 텍스트의 길이 혹은 숫자를 고려한것이므로, 실제 password의 strength를 측정하지 않아서 문제이다
Accurate Password Strength Measurement
- Guessability Metric
- Guess number
- How many guesses a particular password cracking approach configured
Prior Work
본 연구에서는,
![Page 13: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/13.jpg)
Recruitment
recruited on Amazon’s Mechanical turk (mTurk) platforms “research study about passwrod security”
Limitation • individual’s technical skills • younger & more technical (considering mTurk Population )
165 individuals Gender balanced (51% male) 33 states out of 50 states 34.2 mean age (18-66 ages)
![Page 14: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/14.jpg)
Methodology
5 parts (30 mins total)
1 participants’ demographics (age + gender) security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security - given 2 similar passwords and rate secure passwords in 7 point scale + free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3 Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
4 11 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwords free text responses: Q QQQQ
![Page 15: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/15.jpg)
Methodology
5 parts (30 mins total)
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security - given 2 similar passwords and rate secure passwords in 7 point scale + free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3 Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
4 11 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwords free text responses: Q QQQQ
1 participants’ demographics (age + gender) security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security - given 2 similar passwords and rate secure passwords in 7 point scale + free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
![Page 16: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/16.jpg)
Methodology
5 parts (30 mins total)
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security - given 2 similar passwords and rate secure passwords in 7 point scale + free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3 Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
4 11 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwords free text responses: Q QQQQ
1 participants’ demographics (age + gender) security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs 25 hypothese about how different password characteristics impact perceptions of security - given 2 similar passwords and rate secure passwords in 7 point scale + free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
![Page 17: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/17.jpg)
2
Methodology
5 parts (30 mins total)
1 participants’ demographics (age + gender) security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
4 11 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwords free text responses: Q QQQQ
Password Pairs 25 hypothese about how different password characteristics impact perceptions of security - given 2 similar passwords and rate secure passwords in 7 point scale + free text - 8 broad categories - (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words & phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3 Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
![Page 18: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/18.jpg)
Methodology
5 parts (30 mins total)
1 participants’ demographics (age + gender) security professional or student studying computer security participants’ perceptions: technical understanding of password ecosystem
3 Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
4 11 strategies for password creation & password management rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their passwords free text responses: Q QQQQ
3 Selected- password analysis rate participants’ opinion of the security & memomorability of 20 passwords
![Page 19: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/19.jpg)
Analysis
Quantitative Qualitative
• Bonferroni method
• Wilcoxon Signed Rank Test
• Spearman’s rank corrleation coeffcient
• A mixed model ordinal regression
• One Coder • read all responses to a question
• propose codes
• Second Coder • used annotated codebook to code the data
• participants’ strength ratings • relationship between security and memorability • 알파 0.05
• interpretate free text responses
per type of test
non parametic test H0 = true password rating = 0 = equally secure H1 = true rating is non zero
relationship between security & memorability for selected password analysis & password creation strategies
relationship between numerous independent variable (password legnth, # of digits) and participants’ ratings of password security & memorability
![Page 20: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/20.jpg)
Results
Attacker Model - how the attackers are - how attackers guess passwords & how many guesses they took
![Page 21: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/21.jpg)
Results
Why Attackers Guess Passwords- why someone might try to guess their passwords
- “credit cards” (P3) - “banking information” (P30)
- financial motivations - thef of personal information
![Page 22: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/22.jpg)
Results
How do attackers try to guess your passwords?- why someone might try to guess their passwords
- large scale guessing attacks - using sofrware/ algorithms techniques
![Page 23: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/23.jpg)
Results
- Rating relative security of juxtapositions of 2 passwords - 25 hypothesis x 3 pairs = 75 pairs of passwords 를 통해 사람들의 password cracking approach를 알아봄
Beneficial to Security
- 단어의 “앞” 보다 중간 단어를 대문자 하는것 - 패스워드의 “끝”이 아닌 중간에 숫자 혹은 심볼을 넣는것 - 특정한 년도나 연속적인 숫자를 쓰지말고, 랜덤한 숫자 나열하는것 - 숫자 대신 심볼쓰기 - 흔한 이름말고 사전의 단어를 쓰는것 - 개인적인 내용 (사촌의 이름) 피할것 - 계정과 관련되지 않는 단어를 쓸껏 (예: 비밀번호를 “비번”이라고 정하지 않는다)
![Page 24: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/24.jpg)
Results
- PW1 & PW2 equivalent in strength
- (bonferroni corrected) p value
- p value: participants tended to rate 1 password more secure
- secure- Guess Number - how many times stronger PW2 was than PW 1
Participants’ perceptions of relative security of passwords differed from actual security
Security calculus 10^6 10^14
![Page 25: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/25.jpg)
Results
- PW1 & PW2 equivalent in strength
- (bonferroni corrected) p value
- p value: participants tended to rate 1 password more secure - Misconceptions
- Adding digits make a password more secure than only using letters
- brooklyn16 & astley 123 >>> brooklynqy & astleyabc
- Substitute digits or symbols for letters - punk4life >>> punkforlife - p@ssw0rd >>> pAsswOrd
- overestimate the security of keyboard patterns - 1qaz2wsx3edc >>> thefirstkiss - qwertyuiop >>> bradybunch
- 오해라서 반대로 생각해야함
- misjudge the popularity of particular words & phrases - ilovekale88 >>> iloveyou88
![Page 26: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/26.jpg)
Results
Perceptions of the security & memorability of strategies- 1-7 scale ( 7 darker colors —> very secure, very easy to remember)
안전함 외우기 쉬움
- Spearman’s p to find correlation between security & memorability ratings
![Page 27: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/27.jpg)
Results
Perceptions of the security & memorability of strategies- 1-7 scale ( 7 darker colors —> very secure, very easy to remember)
안전함 외우기 쉬움
- Password reuse: wholly insecure yet memorable
- song lyrics & relevant dates = memorable but insecure
- Trade off: security vs. memorability
![Page 28: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/28.jpg)
Discussion
first study comparing users’ perceptions of the security of text passwords
participants’ perceptions of what characteristics make a password more secure
participants have critical misunderstanding - overestimated the beneifts of adding digits to password
- underestimate the predictability of keyboard patterns & common phrases
current password- strength meters only tell users if password is weak or strong
1
2
3
![Page 29: 160428](https://reader031.fdocument.pub/reader031/viewer/2022022414/588a19ea1a28ab132f8b6db7/html5/thumbnails/29.jpg)
End of Document
Thank You!