- Users have misconceptions about what makes passwords secure. They overestimate the security of adding digits and underestimate patterns and common phrases. - The study analyzed how 165 participants rated the security of 25 pairs of similar passwords to identify differences between perceived and actual security. - Results showed participants misjudged the impact of characteristics like capitalization, digits, symbols and word choices on a password's security. Their perceptions did not match the passwords' actual strength measured by cracking times.

1. Do Users’ Perceptions of
Password Security Match
Reality?
+ CHI 2016
- Blase Ur et al.
/ 유혜수
x 2016 Spring

2. 2016-1 UX Labmeeting
Do Users’ Perceptions of Password Security Match
Reality?
서울대학교 융합과학기술대학원
사용자경험 연구실 유혜수
Blase Ur, Jonathan Bees, Sean M. Segreti, Lujo Bauer, Nicholas Christin, Lorrie Faith Cranor

3. Why this paper
Password Hacking
What’s special about this paper
2
quantitative research
predictability of user chosen passwords has been widely documented
little research investigated on users’ perceptions of password security
security perception: think aloud protocol- qualitative
1
first study comparing users’ perceptions of the security of text passwords

4. Why this paper

5. Why this paper

6. Why this paper

7. Why this paper

8. Why this paper

9. Why this paper

10. About Author
✓ Ph.D. Student, CS @ CMU
✓ Security and Privacy, HCI
Blase Ur [Blazer]

11. Overview
Background
Research Question
Method
Conclusions
• users create predictable passwords BUT users don’t realize how predictable their passwords are
• 165 participation study of users’ perceptions of password security
• Security & Memorability of passwords
• Strategies for password creation & management
• relationship between users’ perceptions of the strength of specific passwords and their actual strength
• misconceptions about the impact of basing passwords on common phrases and including digits and
keyboard patterns in passwords
• design directions for helping users make better passwords
• characteristics of strong & weak passwords should be leveraged to help users create stronger passwords

12. Background
Measuring Password Strength
- 보통 사람들이 password strength를 estimate 하는 방법은 제공된 password meter이다
- 이러한 meters들은 heuristic- based이다
- 텍스트의 길이 혹은 숫자를 고려한것이므로, 실제 password의 strength를 측정하지 않아서 문제이다
Accurate Password Strength Measurement
- Guessability Metric
- Guess number
- How many guesses a particular password cracking approach configured
Prior Work
본 연구에서는,

13. Recruitment
recruited on Amazon’s Mechanical turk (mTurk) platforms
“research study about passwrod security”
Limitation
• individual’s technical skills
• younger & more technical (considering mTurk Population )
165 individuals
Gender balanced (51% male)
33 states out of 50 states
34.2 mean age (18-66 ages)

14. Methodology
5 parts (30 mins total)
1 participants’ demographics (age + gender)
security professional or student studying computer security
participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs
25 hypothese about how different password characteristics impact perceptions of security
- given 2 similar passwords and rate secure passwords in 7 point scale + free text
- 8 broad categories
- (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words &
phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3 Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords
4 11 strategies for password creation & password management
rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their
passwords
free text responses: Q QQQQ

15. Methodology
5 parts (30 mins total)
2 Password Pairs
25 hypothese about how different password characteristics impact perceptions of security
- given 2 similar passwords and rate secure passwords in 7 point scale + free text
- 8 broad categories
- (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words &
phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3 Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords
4 11 strategies for password creation & password management
rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their
passwords
free text responses: Q QQQQ
1 participants’ demographics (age + gender)
security professional or student studying computer security
participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs
25 hypothese about how different password characteristics impact perceptions of security
- given 2 similar passwords and rate secure passwords in 7 point scale + free text
- 8 broad categories
- (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words &
phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)

16. Methodology
5 parts (30 mins total)
2 Password Pairs
25 hypothese about how different password characteristics impact perceptions of security
- given 2 similar passwords and rate secure passwords in 7 point scale + free text
- 8 broad categories
- (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words &
phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3 Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords
4 11 strategies for password creation & password management
rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their
passwords
free text responses: Q QQQQ
1 participants’ demographics (age + gender)
security professional or student studying computer security
participants’ perceptions: technical understanding of password ecosystem
2 Password Pairs
25 hypothese about how different password characteristics impact perceptions of security
- given 2 similar passwords and rate secure passwords in 7 point scale + free text
- 8 broad categories
- (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words &
phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)

17. 2
Methodology
5 parts (30 mins total)
1 participants’ demographics (age + gender)
security professional or student studying computer security
participants’ perceptions: technical understanding of password ecosystem
4 11 strategies for password creation & password management
rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their
passwords
free text responses: Q QQQQ
Password Pairs
25 hypothese about how different password characteristics impact perceptions of security
- given 2 similar passwords and rate secure passwords in 7 point scale + free text
- 8 broad categories
- (capitalization, location of # & symbols, strength of letters vs. symbols, choices of words &
phrases, choice of digits, keyboards patterns, use of personal information, character substitutions)
3 Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords

18. Methodology
5 parts (30 mins total)
1 participants’ demographics (age + gender)
security professional or student studying computer security
participants’ perceptions: technical understanding of password ecosystem
3 Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords
4 11 strategies for password creation & password management
rate participants’ opinion of the security & memomorability of 20 passwords
5 participants’ impressions & understanding of attackers who might try to guess their
passwords
free text responses: Q QQQQ
3 Selected- password analysis
rate participants’ opinion of the security & memomorability of 20 passwords

19. Analysis
Quantitative Qualitative
• Bonferroni method
• Wilcoxon Signed Rank Test
• Spearman’s rank corrleation coeffcient
• A mixed model ordinal regression
• One Coder
• read all responses to a question
• propose codes
• Second Coder
• used annotated codebook to code the data
• participants’ strength ratings
• relationship between security and memorability
• 알파 0.05
• interpretate free text responses
per type of test
non parametic test
H0 = true password rating = 0 = equally secure
H1 = true rating is non zero
relationship between security & memorability for
selected password analysis & password creation strategies
relationship between numerous independent variable
(password legnth, # of digits) and participants’ ratings of
password security & memorability

20. Results
Attacker Model
- how the attackers are
- how attackers guess passwords & how many guesses they took

21. Results
Why Attackers Guess Passwords
- why someone might try to guess their passwords
- “credit cards” (P3)
- “banking information” (P30)
- financial motivations
- thef of personal information

22. Results
How do attackers try to guess your passwords?
- why someone might try to guess their passwords
- large scale guessing attacks
- using sofrware/ algorithms
techniques

23. Results
- Rating relative security of juxtapositions of 2 passwords
- 25 hypothesis x 3 pairs = 75 pairs of passwords 를 통해 사람들의 password cracking approach를 알아봄
Beneficial to Security
- 단어의 “앞” 보다 중간 단어를 대문자 하는것
- 패스워드의 “끝”이 아닌 중간에 숫자 혹은 심볼을 넣는것
- 특정한 년도나 연속적인 숫자를 쓰지말고, 랜덤한 숫자 나열하는것
- 숫자 대신 심볼쓰기
- 흔한 이름말고 사전의 단어를 쓰는것
- 개인적인 내용 (사촌의 이름) 피할것
- 계정과 관련되지 않는 단어를 쓸껏 (예: 비밀번호를 “비번”이라고 정하지 않는다)

24. Results
- PW1 & PW2 equivalent in strength
- (bonferroni corrected) p value
- p value: participants tended to rate 1 password more secure
- secure
- Guess Number
- how many times stronger PW2 was than PW 1
Participants’ perceptions of relative security of passwords differed from actual security
Security calculus
10^6
10^14

25. Results
- PW1 & PW2 equivalent in strength
- (bonferroni corrected) p value
- p value: participants tended to rate 1 password more secure- Misconceptions
- Adding digits make a password more secure than
only using letters
- brooklyn16 & astley
123 >>> brooklynqy
& astleyabc
- Substitute digits or symbols for letters - punk4life >>> punkforlife
- p@ssw0rd >>> pAsswOrd
- overestimate the security of keyboard patterns - 1qaz2wsx3edc >>> thefirstkiss
- qwertyuiop >>> bradybunch
- 오해라서 반대로 생각해야함
- misjudge the popularity of particular words & phrases - ilovekale88 >>> iloveyou88

26. Results
Perceptions of the security & memorability of strategies
- 1-7 scale ( 7 darker colors —> very secure, very easy to remember)
안전함 외우기 쉬움
- Spearman’s p to find correlation between security & memorability ratings

27. Results
Perceptions of the security & memorability of strategies
- 1-7 scale ( 7 darker colors —> very secure, very easy to remember)
안전함 외우기 쉬움
- Password reuse: wholly insecure yet memorable
- song lyrics & relevant dates =
memorable but insecure
- Trade off: security vs. memorability

28. Discussion
first study comparing users’ perceptions of the security of text passwords
participants’ perceptions of what characteristics make a password more secure
participants have critical misunderstanding
- overestimated the beneifts of adding digits to password
- underestimate the predictability of keyboard patterns & common phrases
current password- strength meters only tell users if password is weak or strong
1
2
3

29. End of Document
Thank You!