Password management strategies for online accounts

Symposium On Usable Privacy and Security Pub Date : 2006-07-12 DOI:10.1145/1143120.1143127

Shirley Gaw, E. Felten

{"title":"Password management strategies for online accounts","authors":"Shirley Gaw, E. Felten","doi":"10.1145/1143120.1143127","DOIUrl":null,"url":null,"abstract":"Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-07-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"419","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Symposium On Usable Privacy and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1143120.1143127","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 419

Abstract

Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.

查看原文本刊更多论文

网上帐户的密码管理策略

鉴于密码认证在网上通信、订阅服务和购物中的广泛使用，人们对身份盗窃的担忧日益增加。当人们在多个账户中重复使用密码时，他们就增加了自己的脆弱性;泄露一个密码可以帮助攻击者接管多个帐户。我们对49名大学生的研究量化了他们有多少密码，以及他们重复使用这些密码的频率。大多数用户有三个或更少的密码，密码被重复使用两次。此外，随着时间的推移，密码重用率也在上升，因为人们积累了更多的账户，但没有创建更多的密码。用户为他们的习惯辩护。虽然他们想保护金融数据和个人通信，但重复使用密码使密码更容易管理。用户将来自人类攻击者的威胁可视化，特别是将与他们亲近的人视为最有动机和最有能力的攻击者;然而，参与者并没有将人类攻击者与其潜在的自动化工具分开。他们有时没有意识到，只要有足够大的字典和足够多的尝试，电话号码等个性化密码就可以被破解。我们将讨论当前系统如何支持糟糕的密码实践。我们还提出了网站认证系统和密码管理器的潜在变化。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Symposium On Usable Privacy and Security

自引率

0.00%

发文量