Transcript
Page 1: How Does  Y our Password  M easure Up

HOW DOES YOUR PASSWORD MEASURE UP

The Effect of Strength Meters on Password Creation

Rui Xie

Page 2: How Does  Y our Password  M easure Up

Password Meters• Users could receive feedback when creating password• Users could create “STRONG” password by password

meters• Widely used• Different shapes and sizes

Page 3: How Does  Y our Password  M easure Up

Primary Research Questions• The affection of password on:

• Composition• Guessability• Creation Process• Memorability• User Sentiment

• Important elements of meter design

Page 4: How Does  Y our Password  M easure Up

Methodology• 2931 participants online study• Between-subjects design• Study in 2 parts, last 2 more days

• Part 1: create a password and take a survey about creation(48hours)

• Part 2: re-enter password and answer a survey on remembering password

Page 5: How Does  Y our Password  M easure Up

Conditions• Control conditions

• Visual differences

• Scoring differences

• Both Visual & Scoring differences

Page 6: How Does  Y our Password  M easure Up

Control Conditions• Conditions to which all others were compared

• No meter: no feedback

• Baseline meter: stand password meter

Page 7: How Does  Y our Password  M easure Up

Visual Differences• Three-segment• Green• Tiny• Huge• No suggestions• Text-only• Bunny condition

Page 8: How Does  Y our Password  M easure Up

Scoring differences• Half-score• One-third-score• Nudge-16• Nudge-comp8

Page 9: How Does  Y our Password  M easure Up

Visual & Scoring differences• Text-only-half• Bold-text-only-half

Page 10: How Does  Y our Password  M easure Up

Stringent Meters• Half-score

• One-third-score

• Text-only-half

• Bold text-only-half

Page 11: How Does  Y our Password  M easure Up

Metrics for Results• Composition

• Guessability

• Creation process

• Memorability

• Sentiment

Page 12: How Does  Y our Password  M easure Up

Composition• Password length

Page 13: How Does  Y our Password  M easure Up

Guessability• Threat model: offline attack• Weak adversary: 500 million guesses• Medium adversary: 50 billion guesses • Strong adversary: 5 trillion guesses

Page 14: How Does  Y our Password  M easure Up

Results of Guessability (Visual)

Page 15: How Does  Y our Password  M easure Up

Results of Guessability (Scoring)

Page 16: How Does  Y our Password  M easure Up

Results of Guessability (Stringent)

Page 17: How Does  Y our Password  M easure Up

Process of Creating Password• Time of creating password• Changing mind during creating password

Time of creating password Change mind

Page 18: How Does  Y our Password  M easure Up

Memorability• After 5 minutes still remember and 2 days later has the

same effect• Return rate• Write password down or use electronic devices to record

it

Page 19: How Does  Y our Password  M easure Up

Sentiment• Different level of agreement with 14 statements on

password creation and password meter• Results

• Stringent meters a bit more annoying• Stringent meters violate expections

Page 20: How Does  Y our Password  M easure Up

Meters Matter• Meters leads to longer password• Stringent meters reduce guessability• Memorability will not be affect by maters• Overly stringent meters don’t add benefits


Top Related