SlideShare a Scribd company logo

OlgerHoxha_Thesis_Final

O
Olger Hoxha, CISSP CISM
1 of 32
Download to read offline
Password Managers: Attitudes & Adoption Olger Hoxha Professor Ramakrishna Ayyagari University of Massachusetts Boston May 2016
2 1. Introduction As society continues to become more globalized, the importance of data and information increases as well. In the modern world, people are carrying out banking transactions on their phones, posting about their day on social media, and purchasing goods online more and more everyday. With this surplus of information, there is also a growing need to secure these transactions. Secure authentication techniques and Unique IDs are vital towards the integrity of the information posted and transacted online. In this information age, hackers are improving their methods of intrusion, forcing authentication experts to discover and create numerous ways to authenticate users through various platforms. Text-based passwords, RFID tokens1 , and biometrics are just a few of the different ways that users can authenticate themselves. Although some of these methods are more secure than others, when a cost-benefit analysis is run, the added user effort causes them to fail tragically compared to text-based passwords [2]. In theory, text-based passwords do a fantastic job of securely authenticating a user. For example, a relatively simple password such as “Apple123$” would take around 2.03 hundred thousand centuries to brute force into, assuming 1 thousand guesses a second; or 1.77 hours assuming 1 trillion guesses a second. Simply repeating the password to be “Apple123$Apple123$” would cause the time to rise to around 1.28 hundred billion trillion centuries, or 1.28 trillion centuries, respectively [6]. A complex password consisting of upper and lowercase characters, numbers, and symbols is virtually impossible to hack into, especially if 12 characters or more. According to the same 1 RFID, Radio-frequency identification, is a technology in which a device is used to identify someone or something near by, wirelessly.
3 calculator, 10 characters would take a week, 11 characters would take 1.83 years, and 12 characters would take 1.74 centuries, assuming 1 trillion guesses a second [6]. As great as text-based passwords are in theory, in practice, they can definitely prove to be unsecure. The reason for that is that users tend to create simple and easy to guess passwords. According to a study, 62% of users created passwords of 10 characters or less [1]. Although that seems like a big number, according to the Brute Force calculator that would take 1 week to crack assuming 1 trillion guesses a second [6]. In a famous example, RockYou, a company developing widgets and games for social media websites such as Facebook or Myspace, had been storing users’ account information in plain text format in a database. This turned into catastrophe in 2009 when the RockYou database was hacked and the company’s 32 million user accounts were released to the public. Since then, researchers have analyzed the passwords to discover a very interesting statistic: the top 10,000 most common passwords make up 22% of all passwords on the site [7]. That means that it would take a hacker, according to the haystack calculator, 10 seconds to go through that list on an online database, and they would have a 22% chance of getting a hit on a random account; a 1 in 5 chance of opening an account, easily resulting in 1 unlocked account each minute. Users are the weakest link in the authentication chain, but it doesn’t just stop there. Of course, a user could definitely and easily add an extra character or two to that password which would add a whole new level of security, however, if a data breach occurred, similar to the RockYou website, the user would still be greatly affected. In theory this should not be the case, as one password being exposed in a website should not be worrying users about the potential problems in another website. Security professionals
4 and researchers constantly try to educate the public of the benefits of having unique passwords for each account and each website. But do they listen? It’s very obvious that the answer is a profound “No.” Studies show that more than 80% of users tend to reuse passwords in multiple places [1]. This opens them up to serious security vulnerabilities; if their password were to be hacked in one website, many of their other accounts could be vulnerable to an intruder as well. A study by researchers at Microsoft tells us that users had 25 accounts on average in 2007 [4]. Almost 9 years later, this number has almost definitely increased, which essentially means that the task of creating and memorizing 25+ completely different passwords each with 10-14 characters or more, is daunting, if not simply impossible for the average user. As password breaches become more and more common, security experts are continually increasing their recommendations for the number of characters and complexity of passwords. However, these requirements are too high for the public, and users subsequently tend to fall short. With these increasing requirements, an older technology is becoming relevant again to bridge the gap between recommendations and actual usage: password managers. 2. Password Managers A password manager is “software for storing all our passwords in one location that is protected and accessible with one easy-to-remember master passphrase” [3]. Additionally, the software is able to generate passwords based on criteria that one desires, i.e. uppercase character, lowercase character, number, symbol, and minimum or maximum length. The main purpose of the software is to keep all of your secure passwords in an encrypted database, either online or on your computer, that can only be accessed with the master passphrase. This frees users from having to remember 25
5 different passwords; they would only need to remember 1 complex password. A recommendation would be at least a 12 character alphanumeric password with a symbol. According to the Brute Force calculator, that would take a supercomputer 1.74 centuries [6]. Which, from a security standpoint, is more than adequate enough for the purposes of daily use. 2.1. Browser-based There are three types of password managers; although mainly the same design, their slight variances add major degrees of usability for users. The main type that users might have come across is browser-based password management. For the past few years, browsers have started “remembering” passwords; some even offer to generate a password for the user. After entering a username or a password on almost any website, a popup asks if you’d like to save this account and password for future use, see Figure 1 for an example. After saying yes, the next time one tries to log into the site, the username and password will already have been entered in for you. This type of password management is high on the usability scale because it makes authentication seamless. Most times, you can just click on a website, and you are already logged in, no need to click authenticate at all. On the other side, this fails the security requirement. The database is essentially wide open. If someone were able to steal their laptop, all of their accounts would be completely vulnerable. Although the thief might not be able to see their passwords, depending on the browser, they would have full access to the user’s accounts because there is no security check or authentication in order for the password to populate automatically. However, on some password managers, there is no additional security check before showing all of the passwords in plain text; this is a serious security concern.
6 2.2. Desktop-Based (KeePass) Another type of password management is desktop-based software. This type of system is generally “hidden” in the taskbar or menu bar of the computer. If a user comes across a website requiring authentication, they would open the program on the taskbar, enter their complex password, and be shown a list of all of their passwords. They can then search for the website, and copy and paste their username and password to their browser. This type of password management has a medium level of usability. It requires users to have to open a separate application and enter a complex password in order to find their password for that website, which could add 10-15 seconds to authenticate the account, which easily adds up considering users are likely logging 7-10+ times a day. In addition, it requires users to be on the original computer to actually access the passwords, making it impossible to access accounts if on a different computer. On the other hand, this type of software is high on the security scale because all of the passwords are encrypted, and even if someone were to steal the computer, they would not be able to access the database, if the master passphrase is complex enough. As an example, let’s look at a popular free, open source option, KeePass. When you first open up the program, it will require the master passphrase, see Figure 3. After entering in the correct master passphrase, the user is shown the main menu of the program, see Figure 4. On the left side of the program is a database with different groups and folders for the corresponding accounts. A Facebook or Twitter account could go into a folder called “Social Media”, and Bank of America could go into a folder called “Banking,” to make the user experience easier. In the middle of the screen is the list of username and password entries. The password is not shown even after
7 arriving at this screen, and instead, only the copy function for the password is allowed. This adds an additional level of security against a possible “shoulder surfer.” The new entry page has a number of features geared towards security, see Figure 5. In the middle of the screen is a loading bar, notifying the user of the level of security of their password. The lower the quality, the easier the password is to hack or possibly guess. This could help users understand what a strong password actually entails. In addition, it might be a wake up call for some users who believed that their password is “good enough” only to find out it’s actually a very weak password. In addition, on the right side of the password field are buttons that lead to the built-in password generator, see Figure 6. This allows the user to dictate the necessary requirements for a password, and the program will generate the strongest password possible out of the requirements. The user no longer has to worry about if a password is strong enough or not, because the program will take care of that step. Since there is no longer a need to remember passwords, other than the master password, the generated passwords can be 30+ digits long without an issue, creating the most secure passwords possible.
8 Figure 1: Do you want to remember this password in Internet Explorer Source: https://blogs.msdn.microsoft.com/ieinternals/2009/09/10/why-wont-ie- remember-my-login-info/ Figure 2: Stored User Names and Passwords in Windows & Internet Explorer Source: http://www.howtogeek.com/howto/windows-vista/create-a-shortcut-to-the- stored-user-names-and-passwords-dialog-in-windows/
9 Figure 3: Entering the Master Password in KeePass Source: http://keepass.info/screenshots.html Figure 4: KeePass’ Main Program Window Source: http://keepass.info/screenshots.html
10 Figure 5: KeePass’ New Password Entry Window Source: http://keepass.info/screenshots.html
11 Figure 6: KeePass’ Password Generator Window Source: http://keepass.info/screenshots.html
12 2.3. Cloud-based The last version of password management systems is cloud-based. It is very similar to desktop-based systems, however, as the name implies, the databases are stored on the “cloud,” in other words, remote 3rd party servers. Generally, these databases are accessible through a website. As with desktop-based systems, a single complex master password is required to gain access to the database. An added functional piece is the accessibility of the passwords through mobile devices. As an example, Figure 7 has screenshots of an online advertisement for 1Password, a popular cloud-based password manager. The first screenshot shows the consolidation of all of the accounts into one list or vault. The next screenshot demonstrates how the interface is built into the web browser, and after entering the master passphrase, the user is shown that the iCloud information is available. Additionally, similar to KeePass, a password generator is available directly on the browser. The last screenshot is the program, 1Password, operating on a mobile device, alluding to the cloud functionality, and added usability in terms of portability. Of course, 1Password is not the only cloud-based password manager in existence that offers mobile apps, LastPass, for example, has been downloaded between 1,000,000 and 5,000,000 times on the Google Play store, and as of May 17, 2016, has been rated an average of 4.6/5.0 based on 74,329 reviews [8]. This not only maintains the high level of security required for proper password management, but it also achieves a higher level of usability compared to desktop based managers by allowing one to access passwords on your phone or through a quick website if you’re on a different computer.
13 With all of these added security measures and features, one wonders how these types of password managers fare in terms of usability and real life scenarios. Interestingly, there has been only 2 prior papers done on with a usability study regarding password managers, the first by Chiasson et. al [9], and the second by Karole et. al [10]. The first was a usability study of two desktop-browser password managers, PwdHash, and Password Multiplier. These password managers are different than the typical managers we described earlier; instead of essentially acting as a vault, they would be browser add-ons that hashed2 passwords based on the website it was being used on. The user would enter their normal password: any word or phrase they want, and based on the website, it would map the phrase into a stronger password. The hash would make the password more secure by adding extra characters and special characters. This seems like a fantastic and easy way to easily add an additional level of security, however, their results say otherwise. The majority of candidates had trouble using the software. At times, they thought they had correctly used it, when in reality; they had not activated the hash mechanism, or had only activated it once, and assumed that all future passwords would be given the same treatment. This gives users a false sense of security. It’s possible that this is might cause even weaker passwords because users might believe that there is the additional step of hashing occurring, when in reality it is not. Additionally, users had no way of receiving feedback for their actions; specifically, knowing whether or not they activated the program, or changed passwords. With all of the usability concerns in the study, we 2 Hashing is when a password goes through a function and turns into a cryptic set of characters. The same password will always end up into the same cryptic set of characters, and the process cannot be reversed. Ex. “Apple” will always turn into “3nF@7A83.” However, “Apples” will always turn into “Bs8a$Cf1.”
14 felt that it is best to not include the specific programs, or types of password managers in our research, as we feel there are better, more usable options. However, we must note that the Chiasson et. al [9] study made a very important contribution by identifying 4 question sets that described different aspects of the password management interaction (see Table 1): Perceived Security, Comfort Level with Giving Control of Passwords to a Program, Perceived Ease of Use, and Perceived Necessity and Acceptance. These question sets facilitate further research and studies in the field of password management, and provide a good starting point for our model development. Perceived Security My passwords are secure when using PwdHash. I do not trust PwdHash to protect my passwords from cyber criminals. Comfort Level with Giving Control of Passwords to a Program I am uncomfortable with not knowing my actual passwords for a web site. Passwords are safer when users do not know their actual passwords. Perceived Ease of Use PwdHash is difficult to use. I could easily log on to web sites and manage my passwords with PwdHash. Perceived Necessity and Acceptance I need to use PwdHash on my computer to protect my passwords. My passwords are safe even without PwdHash. Table 1: Question Set with Sample Questions from Chiasson Study [9].
15 In a study by Karole et. al [10], three types of password managers are tested for usability: phone (KeePassMobile), USB (RoboForm2Go), and online (LastPass). In this study, phone is similar to desktop-based password management software, except the software is solely installed on a phone, and not connected to the cloud. This adds usability in the form of a mobile database. USB is also similar to desktop-based password managers; however, with the added functionality of being available on a mobile USB stick. The online version refers to the cloud-based, which was mentioned earlier. The Karole et. al [10] study uses the question set from the Chiasson et. al [9] study, editing only the specific questions to fit into the type of password management software. The study was focused and touted primarily as a usability study, with a extra questions relating to the constructs found in the Chiasson study. In the end, the study found that users had an easier time performing tasks with the online password manager, as opposed to USB, and especially phone. Interestingly, however, their findings also showed that users preferred cloud-based password managers least, out of the three options, which the author attributed to lack of trust in the online software. Users likely did not find the software secure enough to allow it to gain control of their entire passwords. We seek to integrate the above two studies by incorporating trust in password manager usability studies. These two studies, while making important contributions, have their drawbacks. For one, both studies have relatively small number of participants, the first having 26 people, and the second study having only a sample pool of 20 people. It’s difficult to assume that the general population will have similar feelings with password managers based on such a small sample. Additionally, none of the studies look at the adoption rates
16 of password managers. In the second study [10], users deemed cloud-based password managers as being very easy to use, however, that doesn’t mean much if they don’t actually use the program after the study is over. Security research is generally conducted in order to promote better security practices. If better methods of security exist but are not being taken advantage of, then it is obvious that there is a serious discrepancy that needs to be addressed. The first way to discover if there is a disparity or not, is by having accurate adoption rates. Moreover, little research has been done into figuring out the underlying reasons for the adoption rates, and average users’ attitudes towards password management software. The question sets identified by [9], and later reused by [10] are a great first step towards figuring out the beliefs of users, but there needs to be more concrete reasoning. What is it about the technology that makes users like them, or hate them? Is it possible that average users simply do not know that the technology exists? Once they hear about the technology, are they more likely to use it? Would students consider using this type of software if it was made available to them for free, either a separate company, or possibly a school? All of these questions are important in continuing the discussion of password managers, in the pursuit of better security practices. In the Karole et. al [10] study, of the 20 participants, 10 were college students acquiring a technical degree. In agreement with their sample population, we felt it is of great importance to focus on college students. As more and more companies are realizing the importance of the college student market, it’s imperative that password management companies do the same. For the same reasons that credit card companies target college students, and Spotify and Amazon offer lower-priced college discounts, password
17 management software companies must target college students with discounts in order to grab a hold of that age bracket, and attract them towards the usability and security of password managers. With this thinking in mind, we plan to focus our research specifically on college students at the University of Massachusetts Boston. Our first hypothesis is that adoption levels of password managers will be extremely low. Simply based on preliminary conversations with students and colleagues in the university, we realized that not many people even understood what a password manager was or did. Additionally, for this exact reason, we also hypothesized that awareness of the technology and software will be low. Simply put, people won’t know that the technology exists, and that, we think, is one of the major factors in why people aren’t adopting the technology. Our last hypothesis is that people will perceive the technology to be easy to use and useful, meaning those constructs, stemming from the Technology Acceptance Model, will be consistently rated on the higher end. If all our hypotheses are correct, then we will have essentially carved out 2 groups of people: people who have used password managers and believe they are easy to use and useful, and people who have never heard of them before or have never actually used them. Understanding why people use password managers will provide guidance for people who haven’t yet adopted similar tools, thereby improving their authentication security. 3. Study Design In order to validate our hypotheses, we conducted a study to discover the levels of adoption of password managers across universities while specifically looking at students at the University of Massachusetts Boston. Additionally, we sought out to determine the underlying reasons for the current levels of adoption, and to see if there were any
18 correlations between interest or intent to use and other possible attitudes regarding the software. 3.1. Overview We surveyed students at the University of Massachusetts Boston, in IT courses and general business courses. We first showed the participants a two-minute long advertisement from 1Password, a popular cloud-based password manager, which offers a good explanation of password managers, how they work, and why they might be a better option for the average consumer; see Figure 7 for screenshots of the video. The video was shown on a projector to the entire classroom. Afterwards, we distributed a single-sided 27-part likert-scale questionnaire, mainly composed of general password management questions, history with password management software questions, and a few qualifying and self-identification questions. All of the surveys were completed in person, and took an average of 5-10 minutes. 3.2. Participants Exactly one hundred responses were collected. All of the participants were undergraduate students enrolled in the University of Massachusetts Boston. Of the participants, 61 were male, and 37 were female. As mentioned, the questionnaire was distributed in business or IT courses, as such, the majority of the participants were from majoring in business or technology related fields. 64 of the students had business related majors (Accounting, Marketing, Finance, Supply Chain, etc.), and 32 had technology related majors (Information Technology, Management Information Systems, and Computer Science). In addition, there were a few sprinkling of other majors such as Art, Economics, and Mathematics.
19 Figure 7: Screenshots from 1Password Advertisement Source: https://vimeo.com/88901304
20 3.3. Model Development In developing our model, we relied heavily on two prior works: The Technology Acceptance Model and the question set in the Chiasson study, see Table 1 [11]. Chiasson’s question sets include Perceived Security, Comfort Level with Giving Control of Passwords to a Program, Perceived Ease of Use, and Perceived Necessity and Acceptance. The scales were based on previous studies contextualized for password managers. For example, Perceived Ease of Use and perceived usefulness were drawn from the Technology Acceptance Model [11. We captured the concept of Perceived Security with a more established construct of Trusting Belief-Specific Technology— Functionality taken from McKnight’s Trust in a Specific Technology [12]. We felt this was important because security is really the main function of password managers, and the questions derived from this construct could easily be reworded for our study. Chiasson’s construct, Comfort Level with Giving Control of Passwords to a Program, was replaced with another of McKnight’s more esablished constructs from his Trust in a Specific Technology paper, Trusting Stance—General Technology [12]. This would also be useful to cross reference other constructs to see if a participant’s answers, specifically with interest to use, would be swayed through their general trust in technology. Finally, we added another construct which stemmed from information security Fear Appeal research, Perceived Severity, which can also tie into necessity if users believe the severity is high enough, their necessity for such a product will also likely be high [13]. All of these prior works mentioned contained questions for each construct. We reused a great deal of these questions, and reworded them to fit our context. We felt these constructs would help us determine the underlying feelings that
21 people have towards password managers. See Table 2 for the Constructs, Definitions, and Sample Items. 3.4. Limitations This study is not without some limitations. There was an obvious need to explain password managers to users, and we deemed the best possible way to do that was through a video. We thought users would not understand or care enough to read a paragraph explaining password managers and answer a survey based on the paragraph, therefore, we decided on a video advertisement. This was another limitation, after a thorough search on the internet, there were limited option for videos explaining what password managers were, and that were less than 2 minutes long. 1Password’s advertisement was the only real possibility of showing a video in classes. The responses might be specific to 1Password. Additionally, although we gained 100 responses about 1/3 were technology students which might have skewed the statistics, and cause generalizability across other respondents. Variable / Construct - Definition Sample Item Perceived Ease of Use - “The degree to which a person believes that using a particular system would be free of effort.” [11] Learning to operate a password manager would be easy for me. I would find it easy to get a password manager to do what I want it to do. Perceived Usefulness - “The degree to which a person believes that using a particular system would be free of effort.” [11] Using a password manager would enable me to manage my passwords more quickly. I would find a password manager useful in managing my passwords.
22 Perceived Necessity - The degree to which users believe that using a particular system would be necessary for them. [9] I need to use a password manager to protect my passwords. My passwords are safe even without using a password manager. Perceived Threat Severity - “‘How serious the individual believes that the threat would be’ to himself- or herself.” [15][13] If I were to have my password compromised, I would suffer a lot of pain. Having my password hacked would be likely to cause me major problems. Trusting Belief-Specific Technology—Functionality - “Users consider whether the technology delivers the functionality promised by providing features sets needed to complete a task.” [14] 1Password has the functionality I need. 1Password has the ability to do what I want it to do. Trusting Stance—General Technology - “The degree to which users believe that positive outcomes will result from relying on technology.” [12] My typical approach is to trust new technologies until they prove to me that I shouldn’t trust them. I generally give technology the benefit of the doubt when I first use it. Table 2: Constructs, Definitions, and Study Measurement Items 4. Findings After watching the video, users perceived password managers to be very useful and very easy to use. Additionally, they felt that a possible password hack would be very severe for themselves. Moreover, during the actual survey, multiple users asked questions similar to “Does this actually exist?” which almost foreshadows the low awareness and even lower adoption rates that our study would later discover.
23 4.1. Awareness, Adoption & Interest We posed three questions towards awareness, adoption, and future interest of password managers. When asked if they had ever heard of password managers before watching the video, 39% answered yes, see Figure 8. Of the 39, 13 had actually used a password manager, which means 66% of people who had heard of password managers before, have never actually used one. However, of the remaining 26 that had heard of password managers but had never used one, 10 were still interested in actually using a password manager in the future. Of course no technology will be universally praised, the fact that 1/3 of people that are aware are using, and that almost another 1/3 are also possibly interested in a promising statistic. As mentioned, the final question in this section dealt with future interest in using password managers. Of the 100 participants, 57 indicated that they are interested in using a password manager, which is a very good statistic, see Figure 8. Most promising, however, is ratio of people made aware to people interested in using. As previously mentioned, 39 people had heard of password managers, meaning 61 had never heard of them before. Of these 61 who had never been made aware of the technology, 40 had indicated that they were now interested in using the technology. More than 66% of all people that hear about password managers, are interested in using the technology in the future, that number is staggeringly high for a technology that has been around for so long, and that until now, has had fairly low adoption rates. We then looked to see if there were differences between technology and non- technology majors, specifically whether major matters in terms of exposure and adoption of password managers, see Figure 8. Awareness refers to question 19 of the survey which
24 asks if they’ve heard of password managers, adoption refers to question 20 of the survey which asks if they use password managers, and interest refers to question 21 which asks if they’re interested in using password managers, see Appendix A for the questionnaire. Of the technology students, 59% had heard of password managers before watching the video, compared with only 31% of non-tech students. As one might expect, technology majors were generally more aware and knowledgeable of Password Managers before the study. Additionally, 25% of tech students are actually using password managers, a much higher number than the 8% of non-technology students, which can be explained by looking at the awareness of the technology. However, what was most interesting was that only 41% of technology students were interested in using password managers after the study concluded, as opposed to 63% of non-technology students. Although awareness for the technology was low for non-tech students, their interest in using the product is much higher than technology students. Figure 8: Exposure to Password Managers: Tech Majors vs. Non-Tech Majors
25 4.2. General Password Management As part of our survey, we also included sections towards general password management, essentially how users are currently managing their passwords. When asked if they reuse passwords, 62% of users said yes. We anticipated this number to be higher, as previous research regarding this questions yielded numbers of upwards of 80% [1]. However, there is still a possibility that we are not far off, because 20% of participants left this questions blank; a good portion answered every single other question, but consistently left this one question unanswered. We believe there’s some factor of embarrassment or guilt involved with admitting that they reuse passwords. They likely understand the seriousness of such a practice, yet there’s no other way for them to cope with the increasing demands of password management. It’s also possible that they didn’t feel safe disclosing that information in this anonymous survey, they might have felt that the survey taker was going to go after them, after the study to try and hack into their accounts. We asked participants to figure out how many internet accounts they currently have. According to a Microsoft study done in 2007, users had on average 25 internet accounts. We assumed this number would have only gone up higher with 9 added years of account creations, however, our data shows otherwise. Of the participants, 36% answered that they have 6-10 internet accounts, with 26% answering 11-15 internet accounts. Only 18% of the participants combined to answer either 21-25 or 25 and up. We attempted to give suggestions to the type of accounts that one may hold, however, it’s possible that the participants were trying to answer this question as quickly as possible, and likely did not give it as much thought as someone in the Microsoft study.
26 Additionally, we also asked participants to describe their most common password by selecting from the list of 4 criteria: 8+ characters, 1+ special character, 1+ number, and 1+ uppercase character. This also gave some interesting results. Of the participants, 41% had a special character [!@#$%&*] in their most common password. That statistic is great indication that users are understanding the importance of added security for their passwords. Additionally, of the participants, 77% had 8+ characters in their most common password. Another good sign that users are increasing their complexity and length of passwords. 4.3. Underlying Attitudes After watching the video, the users were asked likert-scale style questions based on the constructs that we had predetermined, see Table 2. The questions were then converted to a 1-5 score; strongly disagree being 1, neutral being 3, and strongly agree being 5. As we had hypothesized, perceived ease of use and perceived usefulness were both rated high on average, with average perceived ease of use rating at 4.09, and average perceived usefulness rating at 4.035. This shows that users perceive the technology to be easy to use and useful enough that they would consider using it in the future. Perceived Severity was also rated very high, with an average of 4.07 on the likert scale. The trust in functionality construct was rated above neutral with an average of 3.6. Finally, the average trust of technology came in at 3.28, meaning our users were generally neutral about initially trusting technology, with a slight leaning towards trusting it. 5. Discussion After analyzing our data, specifically cross referencing the constructs with other criteria, we came across some interesting findings. One of the questions asked users if
27 they are interested in using password managers after watching the video, 57% of users said Yes. However, if this is cross referenced with the constructs, quite a large number of statistically significant results show up. In every construct, users have a higher average if they also indicate that they have interest in using password managers after participating in the study, see Figure 9. The more that a user perceives the technology to be useful, easy to use, necessary, and functionally trustworthy, the greater chance that they will have an interest in using the technology in the future. Additionally, average trust in technology was rated at 3.28 for the overall group, however, when looking at specifically users who indicated interest in using password managers, that number increases to 3.47, although not a big jump, it’s still an increase from the average. Users that typically trust technology, are more likely to use password managers. Figure 8: Interest in Using and Average of Construct Our 3 three hypotheses were correct. Perceived Ease of Use and Perceived Usefulness were both rated highly. Awareness of password management software was
28 low, 39%. Additionally, the actual usage, or adoption, of password management software was even lower, with 13% of participants indicating that they had used the software. This shows the obvious disconnect between users and producers of the technology. The software works, it’s perceived to be useful and easy to use, however, people do not actually know that it exists until someone shows them a video like this. And as an obvious result, people are not actually using this technology. 6. Conclusion Based on our research, we think that users fully agree that the technology will be easy to use, and be useful in helping them manage their passwords. We conclude that a good majority are reusing their passwords, or perhaps feel guilty about admitting to reusing their passwords. A good majority of users had never heard of password managers before the study, 61%, and yet of these 61, 40 said they would be interested in using password managers after the study was over. If we combine all of these facts together, we come to one conclusion: password management software companies are not doing enough to expose the technology to users. If 66% of users who heard of password managers had interest in using the technology, then the number of people who had actually used the software before should have been much higher. Password Management companies need to run advertisements and market their software better. Currently the only way to actually see the video advertisement used in our study is to go to the 1Password website. However, if a user already knows to go to their website, they’ve been exposed to it before, or have heard about 1Password from word of mouth, either way, there’s some underlying interest in using. Unfortunately, a good majority of users do not actually know of and have not been exposed to password
29 managers, therefore, although the video might do a great job of converting and arousing interest in password managers, there’s no current way to view it without knowing about it. It’s almost like a Catch-22, you won’t have watched the video unless you already know it exists, and the point of the video is to create exposure and increase demand. The video is not doing much for the company if it lays hidden in their website, they need to market it better, ideally through television. If they can create more exposure for the advertisement, I think there’s a real chance for a boom for password managers. Another idea might be for companies like AgileBits, maker of 1Password, to partner up with universities, like UMass Boston, to offer its product to students. They might discount it even further, although might seem like taking a loss for right now, once users are dependent and have experience in using 1Password, they are likely to be hooked for life. This model is what companies like Spotify rely on, 3 month trial for 99 cents, or half price for students, because they understand that if students can be hooked onto the service, they’re very likely to continue using the service after the trial period has ended. Password managers are no different, in fact this model might be even more beneficial for them because they would be relying on the password manager for all of their passwords and accounts. 1Passwords needs to begin partnerships with universities to create more exposure for their brand. Through this, and only this, will this software really catch on, and maybe then, we can no longer live in fear of password breaches.
30 References 1. Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., ... & Cranor, L. F. (2010, July). Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the Sixth Symposium on Usable Privacy and Security (p. 2). ACM. 2. Herley, C. (2009, September). So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop (pp. 133-144). ACM. 3. Huth, A., Orlando, M., & Pesante, L. (2012). Password security, protection, and management. United States Computer Emergency Readiness Team. 4. Florencio, D., & Herley, C. (2007, May). A large-scale study of web password habits. In Proceedings of the 16th international conference on World Wide Web (pp. 657- 666). ACM. 5. Schaffer, K. (2011). Are Password Requirements too Difficult? Computer, 44(12), 90-92. 6. Password Haystacks: How Well Hidden is Your Needle? (2012, March 28). Retrieved December 1, 2015, from https://www.grc.com/haystack.htm 7. Devillers, M. M. (2010). Analyzing password strength. Radboud University Nijmegen, Tech. Rep. 8. LastPass Password Manager. (2016, May 17). Retrieved May 17, 2016, from https://play.google.com/store/apps/details?id=com.lastpass.lpandroid&hl=en 9. Chiasson, S., van Oorschot, P. C., & Biddle, R. (2006, August). A Usability Study and Critique of Two Password Managers. In Usenix Security (Vol. 6).
31 10. Karole, A., Saxena, N., & Christin, N. (2011). A Comparative Usability Evaluation of Traditional Password Managers. In Information Security and Cryptology-ICISC 2010 (pp. 233-251). Springer Berlin Heidelberg. 11. Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13(3), 319-340. 12. McKnight, D. H., Carter, M., Thatcher, J. B., & Clay, P. F. (2011). Trust in a specific technology: An investigation of its components and measures. ACM Transactions on Management Information Systems, 2(2), 1-15. 13. Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., Polak, P. (2015). What do system users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837-864. 14. McKnight, D. H. (2005). Trust in Information Technology. In The Blackwell Encyclopedia of Management, Management Information Systems, G. B. Davis, Ed., Blackwell, Malden, MA, Vol. 7, 329–331. 15. Milne, S., Orbell, S., & Sheeran, P. (2002). Combining motivational and volitional interventions to promote exercise participation: Protection motivation theory and implementation intentions. British journal of health psychology, 7(2), 163-184.
32 Appendixes Appendix A. Questionnaire Please respond to the following statements by marking a circle next to the statement. Note: The information you provide is confidential and we are not collecting any identifying information. There is no right or wrong answer – we just need your opinion. Strongly Disagree Disagree Neutral Agree Strongly Agree 1. Learning to operate a password manager would be easy for me. ¡ ¡ ¡ ¡ ¡ 2. I would find it easy to get a password manager to do what I want it to do. ¡ ¡ ¡ ¡ ¡ 3. My interaction with a password manager would be clear and understandable. ¡ ¡ ¡ ¡ ¡ 4. I would find a password manager easy to use. ¡ ¡ ¡ ¡ ¡ 5. Using a password manager would enable me to manage my passwords more quickly. ¡ ¡ ¡ ¡ ¡ 6. Using a password manager would enable me to manage my passwords more efficiently. ¡ ¡ ¡ ¡ ¡ 7. Using a password manager would enable me to manage my passwords more easily. ¡ ¡ ¡ ¡ ¡ 8. I would find a password manager useful in managing my passwords. ¡ ¡ ¡ ¡ ¡ 9. I need to use a password manager to protect my passwords. ¡ ¡ ¡ ¡ ¡ 10. My passwords are safe even without using a password manager. ¡ ¡ ¡ ¡ ¡ 11. If I were to have my password compromised, I would suffer a lot of pain. ¡ ¡ ¡ ¡ ¡ 12. Having my password hacked would be likely to cause me major problems. ¡ ¡ ¡ ¡ ¡ 13. 1Password has the functionality I need. ¡ ¡ ¡ ¡ ¡ 14. 1Password has the features required for my tasks. ¡ ¡ ¡ ¡ ¡ 15. 1Password has the ability to do what I want it to do. ¡ ¡ ¡ ¡ ¡ 16. My typical approach is to trust new technologies until they prove to me that I shouldn’t trust them. ¡ ¡ ¡ ¡ ¡ 17. I usually trust a technology until it gives me a reason not to trust it. ¡ ¡ ¡ ¡ ¡ 18. I generally give technology the benefit of the doubt when I first use it. ¡ ¡ ¡ ¡ ¡ 19. Had you heard of password managers before watching the video? Yes No 20. Have you ever used a password manager? Yes No Which one? ________________________ 21. After watching the video are you interested in using a password manager? Yes No 22. Which of the following applies to your most common password? c 8+ Characters c 1+ Numbers c 1+ Special Characters c 1+ Uppercase Characters 23. Do you reuse passwords? Yes No 24. How many internet accounts do you have? (Consider social networks, banking, email, shopping, etc.) c 0-5 c 11-15 c 21-25 c 6 -10 c 16-20 c 26+ 25. Age: ______________ 26. Gender: ______________ 27. Field of Study: __________________________

Recommended

1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
THE GAME OF PHISHING
THE GAME OF PHISHINGTHE GAME OF PHISHING
THE GAME OF PHISHING
ijcisjournal
 
Multitenency - Solving Security Issue
Multitenency - Solving Security Issue Multitenency - Solving Security Issue
Multitenency - Solving Security Issue
MANVENDRA PRIYADARSHI
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of Internet
Mohit Kanwar
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
John Staveley
 
Multi level parsing based approach against phishing attacks with the help of ...
Multi level parsing based approach against phishing attacks with the help of ...Multi level parsing based approach against phishing attacks with the help of ...
Multi level parsing based approach against phishing attacks with the help of ...
IJNSA Journal
 

Recommended

1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
THE GAME OF PHISHING
THE GAME OF PHISHINGTHE GAME OF PHISHING
THE GAME OF PHISHING
ijcisjournal
 
Multitenency - Solving Security Issue
Multitenency - Solving Security Issue Multitenency - Solving Security Issue
Multitenency - Solving Security Issue
MANVENDRA PRIYADARSHI
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of Internet
Mohit Kanwar
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
John Staveley
 
Multi level parsing based approach against phishing attacks with the help of ...
Multi level parsing based approach against phishing attacks with the help of ...Multi level parsing based approach against phishing attacks with the help of ...
Multi level parsing based approach against phishing attacks with the help of ...
IJNSA Journal
 
Web Security
Web SecurityWeb Security
Web Security
Ali Habeeb
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishing
IJCSES Journal
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentation
John Staveley
 
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALSECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
cscpconf
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
London School of Cyber Security
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
Daniel Tumser
 
You are the weakest link
You are the weakest linkYou are the weakest link
You are the weakest link
Sergio Dutra
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET Journal
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
Social networks security risks
Social networks security risksSocial networks security risks
Social networks security risks
osuhaibany
 
How to build a trusted blockchain system
How to build a trusted blockchain systemHow to build a trusted blockchain system
How to build a trusted blockchain system
J J
 
Information security
Information securityInformation security
Information security
Sathyanarayana Panduranga
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Smart Password
Smart PasswordSmart Password
Smart Password
paperpublications3
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
Dr. Ramchandra Mangrulkar
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
Dr. Ramchandra Mangrulkar
 
Berenschot een vertrouwde partner in de zakelijke dienstverlening
Berenschot een vertrouwde partner in de zakelijke dienstverleningBerenschot een vertrouwde partner in de zakelijke dienstverlening
Berenschot een vertrouwde partner in de zakelijke dienstverlening
Luddo Oh
 
Resume7616
Resume7616Resume7616
Resume7616
Melissa Bleininger
 
NEOUSS
NEOUSSNEOUSS
NEOUSS
Melissa Bleininger
 

More Related Content

What's hot

A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishing
IJCSES Journal
 
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALSECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
cscpconf
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
Social networks security risks
Social networks security risksSocial networks security risks
Social networks security risks
osuhaibany
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Smart Password
Smart PasswordSmart Password
Smart Password
paperpublications3
 

What's hot (19)

Web Security
Web SecurityWeb Security
Web Security
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishing
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentation
 
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALSECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 
You are the weakest link
You are the weakest linkYou are the weakest link
You are the weakest link
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
Social networks security risks
Social networks security risksSocial networks security risks
Social networks security risks
 
How to build a trusted blockchain system
How to build a trusted blockchain systemHow to build a trusted blockchain system
How to build a trusted blockchain system
 
Information security
Information securityInformation security
Information security
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
 
Smart Password
Smart PasswordSmart Password
Smart Password
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
 

Viewers also liked

Soc42558 PowerPointPresentation.Bleininger.docx
Soc42558 PowerPointPresentation.Bleininger.docxSoc42558 PowerPointPresentation.Bleininger.docx
Soc42558 PowerPointPresentation.Bleininger.docx
Melissa Bleininger
 
ALVIN'S RESUME(marketing)
ALVIN'S RESUME(marketing)ALVIN'S RESUME(marketing)
ALVIN'S RESUME(marketing)
Alvin Fernandes
 
A Framework for Understanding and Controlling Batch Cooling Crystallization
A Framework for Understanding and Controlling Batch Cooling CrystallizationA Framework for Understanding and Controlling Batch Cooling Crystallization
A Framework for Understanding and Controlling Batch Cooling Crystallization
Daniel Griffin
 

Viewers also liked (15)

Berenschot een vertrouwde partner in de zakelijke dienstverlening
Berenschot een vertrouwde partner in de zakelijke dienstverleningBerenschot een vertrouwde partner in de zakelijke dienstverlening
Berenschot een vertrouwde partner in de zakelijke dienstverlening
 
Resume7616
Resume7616Resume7616
Resume7616
 
NEOUSS
NEOUSSNEOUSS
NEOUSS
 
CONCEPCIÓN FILOSÓFICA DE LA EVALUACIÓN DE LOS APRENDIZAJES
CONCEPCIÓN FILOSÓFICA DE LA EVALUACIÓN DE LOS APRENDIZAJES CONCEPCIÓN FILOSÓFICA DE LA EVALUACIÓN DE LOS APRENDIZAJES
CONCEPCIÓN FILOSÓFICA DE LA EVALUACIÓN DE LOS APRENDIZAJES
 
Rathasapthami
RathasapthamiRathasapthami
Rathasapthami
 
Soc42558 PowerPointPresentation.Bleininger.docx
Soc42558 PowerPointPresentation.Bleininger.docxSoc42558 PowerPointPresentation.Bleininger.docx
Soc42558 PowerPointPresentation.Bleininger.docx
 
Presentation4.7
Presentation4.7Presentation4.7
Presentation4.7
 
Seacor bro 29 04-05
Seacor bro 29 04-05Seacor bro 29 04-05
Seacor bro 29 04-05
 
ALVIN'S RESUME(marketing)
ALVIN'S RESUME(marketing)ALVIN'S RESUME(marketing)
ALVIN'S RESUME(marketing)
 
A Framework for Understanding and Controlling Batch Cooling Crystallization
A Framework for Understanding and Controlling Batch Cooling CrystallizationA Framework for Understanding and Controlling Batch Cooling Crystallization
A Framework for Understanding and Controlling Batch Cooling Crystallization
 
India 2016
India 2016India 2016
India 2016
 
Painel Prefeitos Eleitos no Estado do ES - Gestão Pública Empreendedora
Painel Prefeitos Eleitos no Estado do ES - Gestão Pública EmpreendedoraPainel Prefeitos Eleitos no Estado do ES - Gestão Pública Empreendedora
Painel Prefeitos Eleitos no Estado do ES - Gestão Pública Empreendedora
 
Justice Admin PowerPoint
Justice Admin PowerPointJustice Admin PowerPoint
Justice Admin PowerPoint
 
Brand Media Monitor VIII
Brand Media Monitor VIIIBrand Media Monitor VIII
Brand Media Monitor VIII
 
Organisasi dan kepemimpinan
Organisasi dan kepemimpinanOrganisasi dan kepemimpinan
Organisasi dan kepemimpinan
 

Similar to OlgerHoxha_Thesis_Final

A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
ADEIJ Journal
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
Pixel Crayons
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Fego Ogwara
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
STO STRATEGY
 
Packt publishing book proposal api and mobile access management
Packt publishing book proposal api and mobile access managementPackt publishing book proposal api and mobile access management
Packt publishing book proposal api and mobile access management
Gluu
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
Challenges and Risks of Web 3.0 — A New Digital World Order
Challenges and Risks of Web 3.0 — A New Digital World OrderChallenges and Risks of Web 3.0 — A New Digital World Order
Challenges and Risks of Web 3.0 — A New Digital World Order
Mindfire LLC
 
Microsoft warns of potential attacks
Microsoft warns of potential attacksMicrosoft warns of potential attacks
Microsoft warns of potential attacks
John Davis
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docx
susanschei
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
 

Similar to OlgerHoxha_Thesis_Final (20)

A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
 
Can blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureCan blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secure
 
Internet Security Essay
Internet Security EssayInternet Security Essay
Internet Security Essay
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing Security
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Packt publishing book proposal api and mobile access management
Packt publishing book proposal api and mobile access managementPackt publishing book proposal api and mobile access management
Packt publishing book proposal api and mobile access management
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
 
Challenges and Risks of Web 3.0 — A New Digital World Order
Challenges and Risks of Web 3.0 — A New Digital World OrderChallenges and Risks of Web 3.0 — A New Digital World Order
Challenges and Risks of Web 3.0 — A New Digital World Order
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Microsoft warns of potential attacks
Microsoft warns of potential attacksMicrosoft warns of potential attacks
Microsoft warns of potential attacks
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docx
 
Ijsrdv8 i10355
Ijsrdv8 i10355Ijsrdv8 i10355
Ijsrdv8 i10355
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password Systems
 
5 Ways to Stay #CyberSecure
5 Ways to Stay #CyberSecure5 Ways to Stay #CyberSecure
5 Ways to Stay #CyberSecure
 

OlgerHoxha_Thesis_Final

  • 1. Password Managers: Attitudes & Adoption Olger Hoxha Professor Ramakrishna Ayyagari University of Massachusetts Boston May 2016
  • 2. 2 1. Introduction As society continues to become more globalized, the importance of data and information increases as well. In the modern world, people are carrying out banking transactions on their phones, posting about their day on social media, and purchasing goods online more and more everyday. With this surplus of information, there is also a growing need to secure these transactions. Secure authentication techniques and Unique IDs are vital towards the integrity of the information posted and transacted online. In this information age, hackers are improving their methods of intrusion, forcing authentication experts to discover and create numerous ways to authenticate users through various platforms. Text-based passwords, RFID tokens1 , and biometrics are just a few of the different ways that users can authenticate themselves. Although some of these methods are more secure than others, when a cost-benefit analysis is run, the added user effort causes them to fail tragically compared to text-based passwords [2]. In theory, text-based passwords do a fantastic job of securely authenticating a user. For example, a relatively simple password such as “Apple123$” would take around 2.03 hundred thousand centuries to brute force into, assuming 1 thousand guesses a second; or 1.77 hours assuming 1 trillion guesses a second. Simply repeating the password to be “Apple123$Apple123$” would cause the time to rise to around 1.28 hundred billion trillion centuries, or 1.28 trillion centuries, respectively [6]. A complex password consisting of upper and lowercase characters, numbers, and symbols is virtually impossible to hack into, especially if 12 characters or more. According to the same 1 RFID, Radio-frequency identification, is a technology in which a device is used to identify someone or something near by, wirelessly.
  • 3. 3 calculator, 10 characters would take a week, 11 characters would take 1.83 years, and 12 characters would take 1.74 centuries, assuming 1 trillion guesses a second [6]. As great as text-based passwords are in theory, in practice, they can definitely prove to be unsecure. The reason for that is that users tend to create simple and easy to guess passwords. According to a study, 62% of users created passwords of 10 characters or less [1]. Although that seems like a big number, according to the Brute Force calculator that would take 1 week to crack assuming 1 trillion guesses a second [6]. In a famous example, RockYou, a company developing widgets and games for social media websites such as Facebook or Myspace, had been storing users’ account information in plain text format in a database. This turned into catastrophe in 2009 when the RockYou database was hacked and the company’s 32 million user accounts were released to the public. Since then, researchers have analyzed the passwords to discover a very interesting statistic: the top 10,000 most common passwords make up 22% of all passwords on the site [7]. That means that it would take a hacker, according to the haystack calculator, 10 seconds to go through that list on an online database, and they would have a 22% chance of getting a hit on a random account; a 1 in 5 chance of opening an account, easily resulting in 1 unlocked account each minute. Users are the weakest link in the authentication chain, but it doesn’t just stop there. Of course, a user could definitely and easily add an extra character or two to that password which would add a whole new level of security, however, if a data breach occurred, similar to the RockYou website, the user would still be greatly affected. In theory this should not be the case, as one password being exposed in a website should not be worrying users about the potential problems in another website. Security professionals
  • 4. 4 and researchers constantly try to educate the public of the benefits of having unique passwords for each account and each website. But do they listen? It’s very obvious that the answer is a profound “No.” Studies show that more than 80% of users tend to reuse passwords in multiple places [1]. This opens them up to serious security vulnerabilities; if their password were to be hacked in one website, many of their other accounts could be vulnerable to an intruder as well. A study by researchers at Microsoft tells us that users had 25 accounts on average in 2007 [4]. Almost 9 years later, this number has almost definitely increased, which essentially means that the task of creating and memorizing 25+ completely different passwords each with 10-14 characters or more, is daunting, if not simply impossible for the average user. As password breaches become more and more common, security experts are continually increasing their recommendations for the number of characters and complexity of passwords. However, these requirements are too high for the public, and users subsequently tend to fall short. With these increasing requirements, an older technology is becoming relevant again to bridge the gap between recommendations and actual usage: password managers. 2. Password Managers A password manager is “software for storing all our passwords in one location that is protected and accessible with one easy-to-remember master passphrase” [3]. Additionally, the software is able to generate passwords based on criteria that one desires, i.e. uppercase character, lowercase character, number, symbol, and minimum or maximum length. The main purpose of the software is to keep all of your secure passwords in an encrypted database, either online or on your computer, that can only be accessed with the master passphrase. This frees users from having to remember 25
  • 5. 5 different passwords; they would only need to remember 1 complex password. A recommendation would be at least a 12 character alphanumeric password with a symbol. According to the Brute Force calculator, that would take a supercomputer 1.74 centuries [6]. Which, from a security standpoint, is more than adequate enough for the purposes of daily use. 2.1. Browser-based There are three types of password managers; although mainly the same design, their slight variances add major degrees of usability for users. The main type that users might have come across is browser-based password management. For the past few years, browsers have started “remembering” passwords; some even offer to generate a password for the user. After entering a username or a password on almost any website, a popup asks if you’d like to save this account and password for future use, see Figure 1 for an example. After saying yes, the next time one tries to log into the site, the username and password will already have been entered in for you. This type of password management is high on the usability scale because it makes authentication seamless. Most times, you can just click on a website, and you are already logged in, no need to click authenticate at all. On the other side, this fails the security requirement. The database is essentially wide open. If someone were able to steal their laptop, all of their accounts would be completely vulnerable. Although the thief might not be able to see their passwords, depending on the browser, they would have full access to the user’s accounts because there is no security check or authentication in order for the password to populate automatically. However, on some password managers, there is no additional security check before showing all of the passwords in plain text; this is a serious security concern.
  • 6. 6 2.2. Desktop-Based (KeePass) Another type of password management is desktop-based software. This type of system is generally “hidden” in the taskbar or menu bar of the computer. If a user comes across a website requiring authentication, they would open the program on the taskbar, enter their complex password, and be shown a list of all of their passwords. They can then search for the website, and copy and paste their username and password to their browser. This type of password management has a medium level of usability. It requires users to have to open a separate application and enter a complex password in order to find their password for that website, which could add 10-15 seconds to authenticate the account, which easily adds up considering users are likely logging 7-10+ times a day. In addition, it requires users to be on the original computer to actually access the passwords, making it impossible to access accounts if on a different computer. On the other hand, this type of software is high on the security scale because all of the passwords are encrypted, and even if someone were to steal the computer, they would not be able to access the database, if the master passphrase is complex enough. As an example, let’s look at a popular free, open source option, KeePass. When you first open up the program, it will require the master passphrase, see Figure 3. After entering in the correct master passphrase, the user is shown the main menu of the program, see Figure 4. On the left side of the program is a database with different groups and folders for the corresponding accounts. A Facebook or Twitter account could go into a folder called “Social Media”, and Bank of America could go into a folder called “Banking,” to make the user experience easier. In the middle of the screen is the list of username and password entries. The password is not shown even after
  • 7. 7 arriving at this screen, and instead, only the copy function for the password is allowed. This adds an additional level of security against a possible “shoulder surfer.” The new entry page has a number of features geared towards security, see Figure 5. In the middle of the screen is a loading bar, notifying the user of the level of security of their password. The lower the quality, the easier the password is to hack or possibly guess. This could help users understand what a strong password actually entails. In addition, it might be a wake up call for some users who believed that their password is “good enough” only to find out it’s actually a very weak password. In addition, on the right side of the password field are buttons that lead to the built-in password generator, see Figure 6. This allows the user to dictate the necessary requirements for a password, and the program will generate the strongest password possible out of the requirements. The user no longer has to worry about if a password is strong enough or not, because the program will take care of that step. Since there is no longer a need to remember passwords, other than the master password, the generated passwords can be 30+ digits long without an issue, creating the most secure passwords possible.
  • 8. 8 Figure 1: Do you want to remember this password in Internet Explorer Source: https://blogs.msdn.microsoft.com/ieinternals/2009/09/10/why-wont-ie- remember-my-login-info/ Figure 2: Stored User Names and Passwords in Windows & Internet Explorer Source: http://www.howtogeek.com/howto/windows-vista/create-a-shortcut-to-the- stored-user-names-and-passwords-dialog-in-windows/
  • 9. 9 Figure 3: Entering the Master Password in KeePass Source: http://keepass.info/screenshots.html Figure 4: KeePass’ Main Program Window Source: http://keepass.info/screenshots.html
  • 10. 10 Figure 5: KeePass’ New Password Entry Window Source: http://keepass.info/screenshots.html
  • 11. 11 Figure 6: KeePass’ Password Generator Window Source: http://keepass.info/screenshots.html
  • 12. 12 2.3. Cloud-based The last version of password management systems is cloud-based. It is very similar to desktop-based systems, however, as the name implies, the databases are stored on the “cloud,” in other words, remote 3rd party servers. Generally, these databases are accessible through a website. As with desktop-based systems, a single complex master password is required to gain access to the database. An added functional piece is the accessibility of the passwords through mobile devices. As an example, Figure 7 has screenshots of an online advertisement for 1Password, a popular cloud-based password manager. The first screenshot shows the consolidation of all of the accounts into one list or vault. The next screenshot demonstrates how the interface is built into the web browser, and after entering the master passphrase, the user is shown that the iCloud information is available. Additionally, similar to KeePass, a password generator is available directly on the browser. The last screenshot is the program, 1Password, operating on a mobile device, alluding to the cloud functionality, and added usability in terms of portability. Of course, 1Password is not the only cloud-based password manager in existence that offers mobile apps, LastPass, for example, has been downloaded between 1,000,000 and 5,000,000 times on the Google Play store, and as of May 17, 2016, has been rated an average of 4.6/5.0 based on 74,329 reviews [8]. This not only maintains the high level of security required for proper password management, but it also achieves a higher level of usability compared to desktop based managers by allowing one to access passwords on your phone or through a quick website if you’re on a different computer.
  • 13. 13 With all of these added security measures and features, one wonders how these types of password managers fare in terms of usability and real life scenarios. Interestingly, there has been only 2 prior papers done on with a usability study regarding password managers, the first by Chiasson et. al [9], and the second by Karole et. al [10]. The first was a usability study of two desktop-browser password managers, PwdHash, and Password Multiplier. These password managers are different than the typical managers we described earlier; instead of essentially acting as a vault, they would be browser add-ons that hashed2 passwords based on the website it was being used on. The user would enter their normal password: any word or phrase they want, and based on the website, it would map the phrase into a stronger password. The hash would make the password more secure by adding extra characters and special characters. This seems like a fantastic and easy way to easily add an additional level of security, however, their results say otherwise. The majority of candidates had trouble using the software. At times, they thought they had correctly used it, when in reality; they had not activated the hash mechanism, or had only activated it once, and assumed that all future passwords would be given the same treatment. This gives users a false sense of security. It’s possible that this is might cause even weaker passwords because users might believe that there is the additional step of hashing occurring, when in reality it is not. Additionally, users had no way of receiving feedback for their actions; specifically, knowing whether or not they activated the program, or changed passwords. With all of the usability concerns in the study, we 2 Hashing is when a password goes through a function and turns into a cryptic set of characters. The same password will always end up into the same cryptic set of characters, and the process cannot be reversed. Ex. “Apple” will always turn into “3nF@7A83.” However, “Apples” will always turn into “Bs8a$Cf1.”
  • 14. 14 felt that it is best to not include the specific programs, or types of password managers in our research, as we feel there are better, more usable options. However, we must note that the Chiasson et. al [9] study made a very important contribution by identifying 4 question sets that described different aspects of the password management interaction (see Table 1): Perceived Security, Comfort Level with Giving Control of Passwords to a Program, Perceived Ease of Use, and Perceived Necessity and Acceptance. These question sets facilitate further research and studies in the field of password management, and provide a good starting point for our model development. Perceived Security My passwords are secure when using PwdHash. I do not trust PwdHash to protect my passwords from cyber criminals. Comfort Level with Giving Control of Passwords to a Program I am uncomfortable with not knowing my actual passwords for a web site. Passwords are safer when users do not know their actual passwords. Perceived Ease of Use PwdHash is difficult to use. I could easily log on to web sites and manage my passwords with PwdHash. Perceived Necessity and Acceptance I need to use PwdHash on my computer to protect my passwords. My passwords are safe even without PwdHash. Table 1: Question Set with Sample Questions from Chiasson Study [9].
  • 15. 15 In a study by Karole et. al [10], three types of password managers are tested for usability: phone (KeePassMobile), USB (RoboForm2Go), and online (LastPass). In this study, phone is similar to desktop-based password management software, except the software is solely installed on a phone, and not connected to the cloud. This adds usability in the form of a mobile database. USB is also similar to desktop-based password managers; however, with the added functionality of being available on a mobile USB stick. The online version refers to the cloud-based, which was mentioned earlier. The Karole et. al [10] study uses the question set from the Chiasson et. al [9] study, editing only the specific questions to fit into the type of password management software. The study was focused and touted primarily as a usability study, with a extra questions relating to the constructs found in the Chiasson study. In the end, the study found that users had an easier time performing tasks with the online password manager, as opposed to USB, and especially phone. Interestingly, however, their findings also showed that users preferred cloud-based password managers least, out of the three options, which the author attributed to lack of trust in the online software. Users likely did not find the software secure enough to allow it to gain control of their entire passwords. We seek to integrate the above two studies by incorporating trust in password manager usability studies. These two studies, while making important contributions, have their drawbacks. For one, both studies have relatively small number of participants, the first having 26 people, and the second study having only a sample pool of 20 people. It’s difficult to assume that the general population will have similar feelings with password managers based on such a small sample. Additionally, none of the studies look at the adoption rates
  • 16. 16 of password managers. In the second study [10], users deemed cloud-based password managers as being very easy to use, however, that doesn’t mean much if they don’t actually use the program after the study is over. Security research is generally conducted in order to promote better security practices. If better methods of security exist but are not being taken advantage of, then it is obvious that there is a serious discrepancy that needs to be addressed. The first way to discover if there is a disparity or not, is by having accurate adoption rates. Moreover, little research has been done into figuring out the underlying reasons for the adoption rates, and average users’ attitudes towards password management software. The question sets identified by [9], and later reused by [10] are a great first step towards figuring out the beliefs of users, but there needs to be more concrete reasoning. What is it about the technology that makes users like them, or hate them? Is it possible that average users simply do not know that the technology exists? Once they hear about the technology, are they more likely to use it? Would students consider using this type of software if it was made available to them for free, either a separate company, or possibly a school? All of these questions are important in continuing the discussion of password managers, in the pursuit of better security practices. In the Karole et. al [10] study, of the 20 participants, 10 were college students acquiring a technical degree. In agreement with their sample population, we felt it is of great importance to focus on college students. As more and more companies are realizing the importance of the college student market, it’s imperative that password management companies do the same. For the same reasons that credit card companies target college students, and Spotify and Amazon offer lower-priced college discounts, password
  • 17. 17 management software companies must target college students with discounts in order to grab a hold of that age bracket, and attract them towards the usability and security of password managers. With this thinking in mind, we plan to focus our research specifically on college students at the University of Massachusetts Boston. Our first hypothesis is that adoption levels of password managers will be extremely low. Simply based on preliminary conversations with students and colleagues in the university, we realized that not many people even understood what a password manager was or did. Additionally, for this exact reason, we also hypothesized that awareness of the technology and software will be low. Simply put, people won’t know that the technology exists, and that, we think, is one of the major factors in why people aren’t adopting the technology. Our last hypothesis is that people will perceive the technology to be easy to use and useful, meaning those constructs, stemming from the Technology Acceptance Model, will be consistently rated on the higher end. If all our hypotheses are correct, then we will have essentially carved out 2 groups of people: people who have used password managers and believe they are easy to use and useful, and people who have never heard of them before or have never actually used them. Understanding why people use password managers will provide guidance for people who haven’t yet adopted similar tools, thereby improving their authentication security. 3. Study Design In order to validate our hypotheses, we conducted a study to discover the levels of adoption of password managers across universities while specifically looking at students at the University of Massachusetts Boston. Additionally, we sought out to determine the underlying reasons for the current levels of adoption, and to see if there were any
  • 18. 18 correlations between interest or intent to use and other possible attitudes regarding the software. 3.1. Overview We surveyed students at the University of Massachusetts Boston, in IT courses and general business courses. We first showed the participants a two-minute long advertisement from 1Password, a popular cloud-based password manager, which offers a good explanation of password managers, how they work, and why they might be a better option for the average consumer; see Figure 7 for screenshots of the video. The video was shown on a projector to the entire classroom. Afterwards, we distributed a single-sided 27-part likert-scale questionnaire, mainly composed of general password management questions, history with password management software questions, and a few qualifying and self-identification questions. All of the surveys were completed in person, and took an average of 5-10 minutes. 3.2. Participants Exactly one hundred responses were collected. All of the participants were undergraduate students enrolled in the University of Massachusetts Boston. Of the participants, 61 were male, and 37 were female. As mentioned, the questionnaire was distributed in business or IT courses, as such, the majority of the participants were from majoring in business or technology related fields. 64 of the students had business related majors (Accounting, Marketing, Finance, Supply Chain, etc.), and 32 had technology related majors (Information Technology, Management Information Systems, and Computer Science). In addition, there were a few sprinkling of other majors such as Art, Economics, and Mathematics.
  • 19. 19 Figure 7: Screenshots from 1Password Advertisement Source: https://vimeo.com/88901304
  • 20. 20 3.3. Model Development In developing our model, we relied heavily on two prior works: The Technology Acceptance Model and the question set in the Chiasson study, see Table 1 [11]. Chiasson’s question sets include Perceived Security, Comfort Level with Giving Control of Passwords to a Program, Perceived Ease of Use, and Perceived Necessity and Acceptance. The scales were based on previous studies contextualized for password managers. For example, Perceived Ease of Use and perceived usefulness were drawn from the Technology Acceptance Model [11. We captured the concept of Perceived Security with a more established construct of Trusting Belief-Specific Technology— Functionality taken from McKnight’s Trust in a Specific Technology [12]. We felt this was important because security is really the main function of password managers, and the questions derived from this construct could easily be reworded for our study. Chiasson’s construct, Comfort Level with Giving Control of Passwords to a Program, was replaced with another of McKnight’s more esablished constructs from his Trust in a Specific Technology paper, Trusting Stance—General Technology [12]. This would also be useful to cross reference other constructs to see if a participant’s answers, specifically with interest to use, would be swayed through their general trust in technology. Finally, we added another construct which stemmed from information security Fear Appeal research, Perceived Severity, which can also tie into necessity if users believe the severity is high enough, their necessity for such a product will also likely be high [13]. All of these prior works mentioned contained questions for each construct. We reused a great deal of these questions, and reworded them to fit our context. We felt these constructs would help us determine the underlying feelings that
  • 21. 21 people have towards password managers. See Table 2 for the Constructs, Definitions, and Sample Items. 3.4. Limitations This study is not without some limitations. There was an obvious need to explain password managers to users, and we deemed the best possible way to do that was through a video. We thought users would not understand or care enough to read a paragraph explaining password managers and answer a survey based on the paragraph, therefore, we decided on a video advertisement. This was another limitation, after a thorough search on the internet, there were limited option for videos explaining what password managers were, and that were less than 2 minutes long. 1Password’s advertisement was the only real possibility of showing a video in classes. The responses might be specific to 1Password. Additionally, although we gained 100 responses about 1/3 were technology students which might have skewed the statistics, and cause generalizability across other respondents. Variable / Construct - Definition Sample Item Perceived Ease of Use - “The degree to which a person believes that using a particular system would be free of effort.” [11] Learning to operate a password manager would be easy for me. I would find it easy to get a password manager to do what I want it to do. Perceived Usefulness - “The degree to which a person believes that using a particular system would be free of effort.” [11] Using a password manager would enable me to manage my passwords more quickly. I would find a password manager useful in managing my passwords.
  • 22. 22 Perceived Necessity - The degree to which users believe that using a particular system would be necessary for them. [9] I need to use a password manager to protect my passwords. My passwords are safe even without using a password manager. Perceived Threat Severity - “‘How serious the individual believes that the threat would be’ to himself- or herself.” [15][13] If I were to have my password compromised, I would suffer a lot of pain. Having my password hacked would be likely to cause me major problems. Trusting Belief-Specific Technology—Functionality - “Users consider whether the technology delivers the functionality promised by providing features sets needed to complete a task.” [14] 1Password has the functionality I need. 1Password has the ability to do what I want it to do. Trusting Stance—General Technology - “The degree to which users believe that positive outcomes will result from relying on technology.” [12] My typical approach is to trust new technologies until they prove to me that I shouldn’t trust them. I generally give technology the benefit of the doubt when I first use it. Table 2: Constructs, Definitions, and Study Measurement Items 4. Findings After watching the video, users perceived password managers to be very useful and very easy to use. Additionally, they felt that a possible password hack would be very severe for themselves. Moreover, during the actual survey, multiple users asked questions similar to “Does this actually exist?” which almost foreshadows the low awareness and even lower adoption rates that our study would later discover.
  • 23. 23 4.1. Awareness, Adoption & Interest We posed three questions towards awareness, adoption, and future interest of password managers. When asked if they had ever heard of password managers before watching the video, 39% answered yes, see Figure 8. Of the 39, 13 had actually used a password manager, which means 66% of people who had heard of password managers before, have never actually used one. However, of the remaining 26 that had heard of password managers but had never used one, 10 were still interested in actually using a password manager in the future. Of course no technology will be universally praised, the fact that 1/3 of people that are aware are using, and that almost another 1/3 are also possibly interested in a promising statistic. As mentioned, the final question in this section dealt with future interest in using password managers. Of the 100 participants, 57 indicated that they are interested in using a password manager, which is a very good statistic, see Figure 8. Most promising, however, is ratio of people made aware to people interested in using. As previously mentioned, 39 people had heard of password managers, meaning 61 had never heard of them before. Of these 61 who had never been made aware of the technology, 40 had indicated that they were now interested in using the technology. More than 66% of all people that hear about password managers, are interested in using the technology in the future, that number is staggeringly high for a technology that has been around for so long, and that until now, has had fairly low adoption rates. We then looked to see if there were differences between technology and non- technology majors, specifically whether major matters in terms of exposure and adoption of password managers, see Figure 8. Awareness refers to question 19 of the survey which
  • 24. 24 asks if they’ve heard of password managers, adoption refers to question 20 of the survey which asks if they use password managers, and interest refers to question 21 which asks if they’re interested in using password managers, see Appendix A for the questionnaire. Of the technology students, 59% had heard of password managers before watching the video, compared with only 31% of non-tech students. As one might expect, technology majors were generally more aware and knowledgeable of Password Managers before the study. Additionally, 25% of tech students are actually using password managers, a much higher number than the 8% of non-technology students, which can be explained by looking at the awareness of the technology. However, what was most interesting was that only 41% of technology students were interested in using password managers after the study concluded, as opposed to 63% of non-technology students. Although awareness for the technology was low for non-tech students, their interest in using the product is much higher than technology students. Figure 8: Exposure to Password Managers: Tech Majors vs. Non-Tech Majors
  • 25. 25 4.2. General Password Management As part of our survey, we also included sections towards general password management, essentially how users are currently managing their passwords. When asked if they reuse passwords, 62% of users said yes. We anticipated this number to be higher, as previous research regarding this questions yielded numbers of upwards of 80% [1]. However, there is still a possibility that we are not far off, because 20% of participants left this questions blank; a good portion answered every single other question, but consistently left this one question unanswered. We believe there’s some factor of embarrassment or guilt involved with admitting that they reuse passwords. They likely understand the seriousness of such a practice, yet there’s no other way for them to cope with the increasing demands of password management. It’s also possible that they didn’t feel safe disclosing that information in this anonymous survey, they might have felt that the survey taker was going to go after them, after the study to try and hack into their accounts. We asked participants to figure out how many internet accounts they currently have. According to a Microsoft study done in 2007, users had on average 25 internet accounts. We assumed this number would have only gone up higher with 9 added years of account creations, however, our data shows otherwise. Of the participants, 36% answered that they have 6-10 internet accounts, with 26% answering 11-15 internet accounts. Only 18% of the participants combined to answer either 21-25 or 25 and up. We attempted to give suggestions to the type of accounts that one may hold, however, it’s possible that the participants were trying to answer this question as quickly as possible, and likely did not give it as much thought as someone in the Microsoft study.
  • 26. 26 Additionally, we also asked participants to describe their most common password by selecting from the list of 4 criteria: 8+ characters, 1+ special character, 1+ number, and 1+ uppercase character. This also gave some interesting results. Of the participants, 41% had a special character [!@#$%&*] in their most common password. That statistic is great indication that users are understanding the importance of added security for their passwords. Additionally, of the participants, 77% had 8+ characters in their most common password. Another good sign that users are increasing their complexity and length of passwords. 4.3. Underlying Attitudes After watching the video, the users were asked likert-scale style questions based on the constructs that we had predetermined, see Table 2. The questions were then converted to a 1-5 score; strongly disagree being 1, neutral being 3, and strongly agree being 5. As we had hypothesized, perceived ease of use and perceived usefulness were both rated high on average, with average perceived ease of use rating at 4.09, and average perceived usefulness rating at 4.035. This shows that users perceive the technology to be easy to use and useful enough that they would consider using it in the future. Perceived Severity was also rated very high, with an average of 4.07 on the likert scale. The trust in functionality construct was rated above neutral with an average of 3.6. Finally, the average trust of technology came in at 3.28, meaning our users were generally neutral about initially trusting technology, with a slight leaning towards trusting it. 5. Discussion After analyzing our data, specifically cross referencing the constructs with other criteria, we came across some interesting findings. One of the questions asked users if
  • 27. 27 they are interested in using password managers after watching the video, 57% of users said Yes. However, if this is cross referenced with the constructs, quite a large number of statistically significant results show up. In every construct, users have a higher average if they also indicate that they have interest in using password managers after participating in the study, see Figure 9. The more that a user perceives the technology to be useful, easy to use, necessary, and functionally trustworthy, the greater chance that they will have an interest in using the technology in the future. Additionally, average trust in technology was rated at 3.28 for the overall group, however, when looking at specifically users who indicated interest in using password managers, that number increases to 3.47, although not a big jump, it’s still an increase from the average. Users that typically trust technology, are more likely to use password managers. Figure 8: Interest in Using and Average of Construct Our 3 three hypotheses were correct. Perceived Ease of Use and Perceived Usefulness were both rated highly. Awareness of password management software was
  • 28. 28 low, 39%. Additionally, the actual usage, or adoption, of password management software was even lower, with 13% of participants indicating that they had used the software. This shows the obvious disconnect between users and producers of the technology. The software works, it’s perceived to be useful and easy to use, however, people do not actually know that it exists until someone shows them a video like this. And as an obvious result, people are not actually using this technology. 6. Conclusion Based on our research, we think that users fully agree that the technology will be easy to use, and be useful in helping them manage their passwords. We conclude that a good majority are reusing their passwords, or perhaps feel guilty about admitting to reusing their passwords. A good majority of users had never heard of password managers before the study, 61%, and yet of these 61, 40 said they would be interested in using password managers after the study was over. If we combine all of these facts together, we come to one conclusion: password management software companies are not doing enough to expose the technology to users. If 66% of users who heard of password managers had interest in using the technology, then the number of people who had actually used the software before should have been much higher. Password Management companies need to run advertisements and market their software better. Currently the only way to actually see the video advertisement used in our study is to go to the 1Password website. However, if a user already knows to go to their website, they’ve been exposed to it before, or have heard about 1Password from word of mouth, either way, there’s some underlying interest in using. Unfortunately, a good majority of users do not actually know of and have not been exposed to password
  • 29. 29 managers, therefore, although the video might do a great job of converting and arousing interest in password managers, there’s no current way to view it without knowing about it. It’s almost like a Catch-22, you won’t have watched the video unless you already know it exists, and the point of the video is to create exposure and increase demand. The video is not doing much for the company if it lays hidden in their website, they need to market it better, ideally through television. If they can create more exposure for the advertisement, I think there’s a real chance for a boom for password managers. Another idea might be for companies like AgileBits, maker of 1Password, to partner up with universities, like UMass Boston, to offer its product to students. They might discount it even further, although might seem like taking a loss for right now, once users are dependent and have experience in using 1Password, they are likely to be hooked for life. This model is what companies like Spotify rely on, 3 month trial for 99 cents, or half price for students, because they understand that if students can be hooked onto the service, they’re very likely to continue using the service after the trial period has ended. Password managers are no different, in fact this model might be even more beneficial for them because they would be relying on the password manager for all of their passwords and accounts. 1Passwords needs to begin partnerships with universities to create more exposure for their brand. Through this, and only this, will this software really catch on, and maybe then, we can no longer live in fear of password breaches.
  • 30. 30 References 1. Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., ... & Cranor, L. F. (2010, July). Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the Sixth Symposium on Usable Privacy and Security (p. 2). ACM. 2. Herley, C. (2009, September). So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop (pp. 133-144). ACM. 3. Huth, A., Orlando, M., & Pesante, L. (2012). Password security, protection, and management. United States Computer Emergency Readiness Team. 4. Florencio, D., & Herley, C. (2007, May). A large-scale study of web password habits. In Proceedings of the 16th international conference on World Wide Web (pp. 657- 666). ACM. 5. Schaffer, K. (2011). Are Password Requirements too Difficult? Computer, 44(12), 90-92. 6. Password Haystacks: How Well Hidden is Your Needle? (2012, March 28). Retrieved December 1, 2015, from https://www.grc.com/haystack.htm 7. Devillers, M. M. (2010). Analyzing password strength. Radboud University Nijmegen, Tech. Rep. 8. LastPass Password Manager. (2016, May 17). Retrieved May 17, 2016, from https://play.google.com/store/apps/details?id=com.lastpass.lpandroid&hl=en 9. Chiasson, S., van Oorschot, P. C., & Biddle, R. (2006, August). A Usability Study and Critique of Two Password Managers. In Usenix Security (Vol. 6).
  • 31. 31 10. Karole, A., Saxena, N., & Christin, N. (2011). A Comparative Usability Evaluation of Traditional Password Managers. In Information Security and Cryptology-ICISC 2010 (pp. 233-251). Springer Berlin Heidelberg. 11. Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13(3), 319-340. 12. McKnight, D. H., Carter, M., Thatcher, J. B., & Clay, P. F. (2011). Trust in a specific technology: An investigation of its components and measures. ACM Transactions on Management Information Systems, 2(2), 1-15. 13. Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., Polak, P. (2015). What do system users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837-864. 14. McKnight, D. H. (2005). Trust in Information Technology. In The Blackwell Encyclopedia of Management, Management Information Systems, G. B. Davis, Ed., Blackwell, Malden, MA, Vol. 7, 329–331. 15. Milne, S., Orbell, S., & Sheeran, P. (2002). Combining motivational and volitional interventions to promote exercise participation: Protection motivation theory and implementation intentions. British journal of health psychology, 7(2), 163-184.
  • 32. 32 Appendixes Appendix A. Questionnaire Please respond to the following statements by marking a circle next to the statement. Note: The information you provide is confidential and we are not collecting any identifying information. There is no right or wrong answer – we just need your opinion. Strongly Disagree Disagree Neutral Agree Strongly Agree 1. Learning to operate a password manager would be easy for me. ¡ ¡ ¡ ¡ ¡ 2. I would find it easy to get a password manager to do what I want it to do. ¡ ¡ ¡ ¡ ¡ 3. My interaction with a password manager would be clear and understandable. ¡ ¡ ¡ ¡ ¡ 4. I would find a password manager easy to use. ¡ ¡ ¡ ¡ ¡ 5. Using a password manager would enable me to manage my passwords more quickly. ¡ ¡ ¡ ¡ ¡ 6. Using a password manager would enable me to manage my passwords more efficiently. ¡ ¡ ¡ ¡ ¡ 7. Using a password manager would enable me to manage my passwords more easily. ¡ ¡ ¡ ¡ ¡ 8. I would find a password manager useful in managing my passwords. ¡ ¡ ¡ ¡ ¡ 9. I need to use a password manager to protect my passwords. ¡ ¡ ¡ ¡ ¡ 10. My passwords are safe even without using a password manager. ¡ ¡ ¡ ¡ ¡ 11. If I were to have my password compromised, I would suffer a lot of pain. ¡ ¡ ¡ ¡ ¡ 12. Having my password hacked would be likely to cause me major problems. ¡ ¡ ¡ ¡ ¡ 13. 1Password has the functionality I need. ¡ ¡ ¡ ¡ ¡ 14. 1Password has the features required for my tasks. ¡ ¡ ¡ ¡ ¡ 15. 1Password has the ability to do what I want it to do. ¡ ¡ ¡ ¡ ¡ 16. My typical approach is to trust new technologies until they prove to me that I shouldn’t trust them. ¡ ¡ ¡ ¡ ¡ 17. I usually trust a technology until it gives me a reason not to trust it. ¡ ¡ ¡ ¡ ¡ 18. I generally give technology the benefit of the doubt when I first use it. ¡ ¡ ¡ ¡ ¡ 19. Had you heard of password managers before watching the video? Yes No 20. Have you ever used a password manager? Yes No Which one? ________________________ 21. After watching the video are you interested in using a password manager? Yes No 22. Which of the following applies to your most common password? c 8+ Characters c 1+ Numbers c 1+ Special Characters c 1+ Uppercase Characters 23. Do you reuse passwords? Yes No 24. How many internet accounts do you have? (Consider social networks, banking, email, shopping, etc.) c 0-5 c 11-15 c 21-25 c 6 -10 c 16-20 c 26+ 25. Age: ______________ 26. Gender: ______________ 27. Field of Study: __________________________