designing password-reuse notifications€¦ · [email protected] … 6 email [email protected] [email protected]...
TRANSCRIPT
![Page 1: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/1.jpg)
Toronto, Canada | ACM CCS | October 18, 2018
DesigningPassword-Reuse Notifications
!"#$%$&$"'()*&&"(!$+"',"(-.$/0&$.11.(2"$'&$'.34,$"(5$&$6.!"+708(9:+%01;<&$88"(=.,%$&.8>&"8. ?+
“What was that site doing with my
Facebook password?”
![Page 2: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/2.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
use unique passwords
1
![Page 3: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/3.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |2
![Page 4: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/4.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
“use a password manager!”
3
![Page 5: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/5.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
people reuse passwords
4
R0cky!17 R0cky!17
R0cky!17
R0cky!14
Rocky!16
R0ckyBox
R0ckyStar123456
R0cky!17
![Page 6: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/6.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |5
Email Argon2i Hash of Password… …
[email protected] $argon2i$v=19$m=4096,…… …
Memory-Hard Hash Function
Password Strength Meter
Rate-Limiting Guessing
![Page 7: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/7.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
Email…
6
[email protected]@[email protected]@mail.com
![Page 8: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/8.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |7
Email SHA-1 Hash of [email protected] 7c4a8d09ca3762af61e595209
[email protected] [email protected] 7c222fb2927d828af22f59213
[email protected] [email protected] b1b3773a05c0ed0176787a4f1
... ...
![Page 9: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/9.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
crack all the things!
8
Email Cracked SHA-1 [email protected] 123456
[email protected] 5baa61e4c9b93f3f0682250b6
[email protected] Canada4ever
[email protected] R0cky!17
[email protected] HikingGuy89
... ...
$> hashcat –m 100 –a0 $TARGET $DICT123456PasswordR0cky!17Football!17CanadaRocks!
![Page 10: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/10.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
Email Argon2i Hash of Password… …
[email protected] $argon2i$v=19$m=4096,…
… …
dead on arrival
9
![Page 11: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/11.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
Email Argon2i Hash of Password… …
[email protected] $argon2i$v=19$m=4096,…
… …
dead on arrival
10
Email Cracked SHA-1 [email protected] 123456
0b6
[email protected] Canada4ever
[email protected] R0cky!17
[email protected] HikingGuy89
... ...
![Page 12: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/12.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
Email Cracked… …
[email protected] R0cky!17
… …
dead on arrival
11
Email Cracked SHA-1 [email protected] 123456
0b6
[email protected] Canada4ever
[email protected] R0cky!17
[email protected] HikingGuy89
... ...
1 guess is enough!
![Page 13: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/13.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |12
![Page 14: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/14.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
black market monitoring
13
![Page 15: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/15.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
black market monitoring
14
![Page 16: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/16.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
what’s the state-of-the-art?
15
Reset Your Password | view as a webpage
Hi Tom,
For your protection and the safety of your data, we have reset the password on your account.To access your account, you must choose a new, secure password.
Reset Your Password
This action is being taken proactively and at this time there is no evidence to indicate thatyour account or data have been compromised. Your backups are safe and your regularbackup schedule will continue.
What Happened
As part of our ongoing security monitoring, we recently became aware of unauthorizedattempts to access a number of Carbonite accounts. This activity appears to be the result of athird party attacker using compromised email addresses and passwords obtained from othercompanies that were previously attacked. The attackers then tried to use the stoleninformation to access Carbonite accounts. Based on our security reviews, there is noevidence to suggest that Carbonite has been hacked or compromised.
What Information Was Involved
While we will continue to monitor and investigate the matter, we have determined that someusernames and passwords are involved. Additionally, for some accounts, other personalinformation may have been exposed.
What We Are Doing
To ensure the protection of all our customers and the safety of their data, we are requiring allCarbonite customers to reset their login information. Our Customer Care team is standing byto assist anyone who needs additional help. This activity in no way affects existing orscheduled backups. Files are still being safely backed up.
In addition to our existing monitoring practices, we will be rolling out additional securitymeasures to protect your account, including increased security review and two-factorauthentication [which we strongly encourage you to use].
What You Should Do
Use the link above to reset your password. We highly recommend using "strong" uniquepasswords for Carbonite and all online accounts. Learn more about strong passwords atwww.carbonite.com/safety. If you use the same or similar passwords on other onlineservices, we recommend that you set new passwords on those accounts as well.
For more information please contact Customer Care at https://support.carbonite.com/.
9/6/2017 Gmail - Google 2-Step Verification blocked a sign in attempt to your account.
https://mail.google.com/mail/u/0/?ui=2&ik=8e41709fe4&jsver=EfWGX3tyASk.en.&view=pt&search=inbox&th=15e58f834caa7688… 1/1
Maximilian G. <[email protected]>
Google 2-Step Verification blocked a sign in attempt to your
account. 1 message
Google <[email protected]> Wed, Sep 6, 2017 at 3:22 PMTo: [email protected]
Google 2-Step Verification blocked a sign inattempt to your account.
Hi Maximilian,
2-Step Verification just blocked a suspicious attempt to sign in to your Google Account. If itwasn’t you, then someone else knows your password, and you should secure youraccount now.
Maximilian G. [email protected]
Mac Wednesday, September 6, 2017 8:22 PM (GMT) Opera
If this was you, and you didn't have access to the phone or backup options you registered for2-Step verification, you can update those options here.
The Google Accounts team
This email can't receive replies. For more information, visit the Google Accounts HelpCenter.
You received this mandatory email service announcement to update you about important changes toyour Google product or account.
© 2017 Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Blase Ur <[email protected]>
Someone has your password 1 message
Google <[email protected]> Sun, Oct 30, 2016 at 2:38 PMTo: [email protected]
Someone has your password
Hi Blase,Someone just used your password to try to sign in to your Google [email protected].
Details: Sunday, October 30, 2016 9:38 PM (Central Africa Time) Victoria Falls, Zimbabwe*
Google stopped this sign-in attempt, but you should review your recently used devices:
REVIEW YOUR DEVICES NOW
Best, The Google Accounts team
*The location is approximate and determined by the IP address it was coming from.
This email can't receive replies. For more information, visit the Google Accounts HelpCenter.
You received this mandatory email service announcement to update you about important changes toyour Google product or account.
© 2016 Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
erification blocked a sign in attempt to your account.
milian G
erification blocked a sign in attempt to your
erification blocked a sign in
Hi Maximilian,
2-Step Verification just blocked a suspicious attempt to sign in to your Google Account. If it2-Step Verification just blocked a suspicious attempt to sign in to your Google Account. If it2-Step Vwasn’t you, then someone else knows your password, and you should account now.
Maximilian [email protected]
![Page 17: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/17.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |16
![Page 18: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/18.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |17
Blase Ur <[email protected]>
Someone has your password 1 message
Google <[email protected]> Sun, Oct 30, 2016 at 2:38 PMTo: [email protected]
Someone has your password
Hi Blase,Someone just used your password to try to sign in to your Google [email protected].
Details: Sunday, October 30, 2016 9:38 PM (Central Africa Time) Victoria Falls, Zimbabwe*
Google stopped this sign-in attempt, but you should review your recently used devices:
REVIEW YOUR DEVICES NOW
Best, The Google Accounts team
*The location is approximate and determined by the IP address it was coming from.
This email can't receive replies. For more information, visit the Google Accounts HelpCenter.
You received this mandatory email service announcement to update you about important changes toyour Google product or account.
© 2016 Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Blase Ur <[email protected]>
Someone has your password1 message
Google <[email protected]> Sun, Oct 30, 2016 at 2:38 PMo: [email protected]
6 representative notifications
24 notifications
![Page 19: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/19.jpg)
Toronto, Canada | ACM CCS | October 18, 2018
methodology
18
![Page 20: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/20.jpg)
Toronto, Canada | ACM CCS | October 18, 201819
STUDY 1
STUDY 2
previously sent password-reuse notifications
individual components of password-reuse notifications
![Page 21: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/21.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
Imagine you have an important account with
AcmeCo…
20
STUDY 1
![Page 22: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/22.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
AcmeCo notifications
21
1
![Page 23: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/23.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
questions asked
22
notification understanding feelings
perceptions demographics
1
actions
![Page 24: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/24.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
survey setup
•Amazon MTurk
•15 mins
•Compensated $2.50
23
6 conditions180 respondents
1
![Page 25: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/25.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
notifications were concerning and a priority
24
worriedafraid
anxiousannoyance
concerned
nervous
confusion
safe
angry
surprised
83%very high or high priority
1
![Page 26: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/26.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |25
1
60%
21%
hacked account
data breach
Why did you receive this notification?
![Page 27: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/27.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |26
1
allude to password reuse
don’t mentionpassword reuse
0 - 4%respondents
listed password reuse as a cause
48 - 56%respondents
![Page 28: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/28.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |27
![Page 29: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/29.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |28
![Page 30: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/30.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |29
“The chances of someone guessing that I use the same password are still incredibly low.”
(R171)
1
![Page 31: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/31.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |30
Current password-reuse notifications
STUDY 1 CONCLUSIONS
elicit concern
explain the situation
![Page 32: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/32.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
five notification goals
31
timely
legitimatesecure actions
sufficientbackground
trust
![Page 33: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/33.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
our model notification
32
STUDY 2
![Page 34: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/34.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
survey setup
•Amazon MTurk
•15 mins
•Compensated $2.50
15 conditions588 respondents
DELIVERY MEDIUM
INCIDENT DESCRIPTION
ACCOUNT ACTIVITY
PASSWORD CHANGE
EXTRA SUGGESTIONS
OTHER ACCOUNTS
33
2
![Page 35: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/35.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
Keep it the same
Change it
Don’t know
6%
90%
3%
34
2
What would you do about your AcmeCo password?
![Page 36: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/36.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
PW manager/browser
Reused password
Modified password
Completely new
Other
13%11%
2%
68%
6%35
2 What would your new password be?
![Page 37: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/37.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |36
“I know my password is already strong and
unlikely to be hacked.” (R338)
2
![Page 38: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/38.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |37
“The hack wasn't specific to this
company so it doesn't worry me.” (R69)
2
![Page 39: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/39.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
“Until I see evidence of hacking, I prefer
to keep my own sanity.” (R300)
38
2
![Page 40: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/40.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |39
STUDY 2 CONCLUSIONS
would change passwords
… but ineffectively
have incomplete threat models
After seeing a password-reuse notification, users
![Page 41: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/41.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
conclusion
1. formative, systematic studies of password-reuse notifications
40
![Page 42: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/42.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
conclusion
1. formative, systematic study of password-reuse notifications
2. developed best practices
41
![Page 43: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/43.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
best practices
42
send via email + more immediate channel
name password reuse as root cause
force password reset
encourage 2FA and password managers
suggest unique passwords for other accounts
![Page 44: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/44.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |43
![Page 45: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/45.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
conclusion
1. formative, systematic study of password-reuse notifications
2. developed best practices
3. future work should study novel notifications
44
![Page 46: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/46.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |45
![Page 47: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/47.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |46
macOS Mojave, Safari 12
1Password
![Page 48: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/48.jpg)
Toronto, Canada | ACM CCS | October 18, 2018 |
conclusion
1. formative, systematic study of password-reuse notifications
2. developed best practices
3. future work should study novel notifications AND find ecosystem-level solutions
47
![Page 49: Designing Password-Reuse Notifications€¦ · jim@mail.com … 6 Email jane@aol.com jessey@gmx.net jenny@gmail.com jim@mail.com ... attempts to access a number of Carbonite accounts](https://reader033.vdocuments.site/reader033/viewer/2022042805/5f639dac99597e03bf647941/html5/thumbnails/49.jpg)
Toronto, Canada | ACM CCS | October 18, 2018
DesigningPassword-Reuse Notifications
Maximilian Golla, Miranda Wei,Juliette Hainline,Lydia Filipe,Markus Dürmuth, Elissa Redmiles,Blase Ur
48