Article

Password management strategies for online accounts

Authors:
Shirley Gaw

Princeton University, Princeton, NJ

Princeton University, Princeton, NJ
View Profile

,
Edward W. Felten

Princeton University, Princeton, NJ

Princeton University, Princeton, NJ
View Profile

SOUPS '06: Proceedings of the second symposium on Usable privacy and securityJuly 2006Pages 44–55https://doi.org/10.1145/1143120.1143127

Published:12 July 2006Publication History

SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Pages 44–55

ABSTRACT

Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.

References

A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40--46, 1999. Google ScholarDigital Library
R. J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York, NY, USA, 2001. Google ScholarDigital Library
S. Brostoff and M. A. Sasse. Are passfaces more usable than passwords: A field trial investigation. People and Computers XIV - Usability or Else: Proceedings of HCI 2000, pages 405--424, 2000.Google Scholar
A. S. Brown, E. Bracken, S. Zoccoli, and K. Douglas. Generating and remembering passwords. Applied Cognitive Psychology, 18(6):641--651, 2004.Google ScholarCross Ref
BugMeNot.com. Frequently asked questions. http://bugmenot.com/faq.php. Accessed 5 March 2006.Google Scholar
J. Bunnell, J. Podd, R. Henderson, R. Napier, and J. Kennedy-Moffat. Cognitive, associative and conventional passwords: Recall and guessing rates. Computers and Security, 16(7):641--657, 1997.Google ScholarDigital Library
R. Dhamija and A. Perrig. Dejà vu: A user study using images for authentication. In Proc. of the 9th USENIX Security Symposium, 2000. Google ScholarDigital Library
P. Dourish, E. Grinter, J. D. de la Flor, and M. Joseph. Security in the wild: User strategies for managing security as an everyday, practical problem. Personal Ubiquitous Computing, 8(6):391--401, 2004. Google ScholarCross Ref
E. Gabber, P. B. Gibbons, Y. Matias,, and A. J. Mayer. How to make personalized web browsing simple, secure, and anonymous. Financial Cryptography, page 1732, 1997. Google ScholarDigital Library
J. Goldberg, J. Hagman, and V. Sazawal. Doodling our way to better authentication. In Proc. of Ext. Abstracts CHI 2002, pages 868--869, New York, NY, USA, 2002. ACM Press. Google ScholarDigital Library
B. Ives, K. R. Walsh, and H. Schneider. The domino effect of password reuse. Commun. ACM, 47(4):75--78, 2004. Google ScholarDigital Library
I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In 13th USENIX Security Symposium, pages 1--14, 2004. Google ScholarDigital Library
A. H. Karp. Site-specific passwords. Technical report, Hewlett-Packard Laboratories. http://www.hpl.hp.com/personal/Alan_Karp/site_password/site_password_files/site_password.pdf.Google Scholar
D. V. Klein. "Foiling the cracker" -- A survey of, and improvements to, password security. In Proc. of the second USENIX Workshop on Security, pages 5--14, Summer 1990.Google Scholar
R. Morris and K. Thompson. Password security: a case history. Commun. ACM, 22(11):594--597, 1979. Google ScholarDigital Library
H. Petrie. Password clues. http://www.centralnic.com/news/research. Accessed 2 May 2005.Google Scholar
J. Preece, Y. Rogers, and H. Sharp. Interaction Design: Beyond human-computer interaction. John Wiley And Sons Inc., 2002. Google ScholarDigital Library
Princeton Office of Information Technology. Tips for creating strong, easy to remember passwords. Accessed 6 March 2006.Google Scholar
S. Riley. Password security: What users know and what they actually do. http://psychology.wichita.edu/surl/usabilitynews/81/Passwords.htm, February 2006.Google Scholar
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. 14th Usenix Security Symposium, page 1732, 2005. Google ScholarDigital Library
M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122--131, 2001. Google ScholarDigital Library
B. Schneier. Secrets and Lies: Digital Security in a Networked World. Wiley Computer Publishing, New York, NY, 2004. Google ScholarDigital Library
D. Weirich and M. A. Sasse. Persuasive password security. In Proc. of Ext. Abstracts CHI 2001, pages 139--140, New York, NY, USA, 2001. ACM Press. Google ScholarDigital Library
D. Weirich and M. A. Sasse. Pretty good persuasion: a first step towards effective password security in the real world. In Proc. of NSPW 2001, pages 137--143, New York, NY, USA, 2001. ACM Press. Google ScholarDigital Library
S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: effects of tolerance and image choice. In SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security, pages 1--12, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5):25--31, 2004. Google ScholarDigital Library
K.-P. Yee. How to manage passwords and prevent phishing. http://usablesecurity.com/2006/02/08/how-to-prevent-phishing/, February 2006. Accessed 5 March 2006.Google Scholar

Index Terms

Password management strategies for online accounts

Recommendations

Password management using doodles
ICMI '07: Proceedings of the 9th international conference on Multimodal interfaces

The average computer user needs to remember a large number of text username and password combinations for different applications, which places a large cognitive load on the user. Consequently users tend to write down passwords, use easy to remember (and ...
Read More
Targeted Online Password Guessing: An Underestimated Threat
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal ...
Read More
Password Book: Password Journal / Password Organizer / Password Keeper / Internet Usernames and Passwords / Internet Password Logbook A Passkey Log ... seamless pattern collection) (Volume 48)
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SOUPS '06: Proceedings of the second symposium on Usable privacy and security
July 2006
168 pages
ISBN:1595934480
DOI:10.1145/1143120
General Chair:
Lorrie Faith Cranor
Carnegie Mellon University
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 July 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
password
password management
password reuse
security
survey
user behavior
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate15of49submissions,31%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 205
  Total Citations
  View Citations
- 4,753
  Total Downloads
- Downloads (Last 12 months)328
- Downloads (Last 6 weeks)89
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Password management strategies for online accounts

SOUPS '06: Proceedings of the second symposium on Usable privacy and security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Password management using doodles

Targeted Online Password Guessing: An Underestimated Threat

Password Book: Password Journal / Password Organizer / Password Keeper / Internet Usernames and Passwords / Internet Password Logbook A Passkey Log ... seamless pattern collection) (Volume 48)