SlideShare una empresa de Scribd logo

Influencing Self-selected Passwords Through Suggestions and the Decoy Effect - Presentation

Tobi Seitz
Tobi Seitz

Slides for a talk at the EuroUSEC workshop in Darmstadt during the Security and Privacy Week.

Ciencias
1 de 36
Descargar para leer sin conexión
INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT Tobias Seitz, Emanuel von Zezschwitz, Stefanie Meitner, Heinrich Hussmann Media Informatics Group LMU Munich
TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 3 http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/
IMPROVING ‘DADADA’: GENERATED PASSWORDS Security: Random system generated passwords would help to secure an account Usability: Password manager necessary for passwords like XN69Nt3uSDJxhJMd è How can we make generated passwords more usable? TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 4 Rhymes? (Ghazvininejad & Knight 2015) Pronounceable Syllables? (Gasser 1975) Real words? (Shay et al. 2012)
IMPROVING GENERATED PASSWORDS: PHRASES CorrectHorseBatteryStaple Security: Word-based passphrases perform well against cracking attacks Usability: ­ Easy to type, but more prone to typos than shorter passwords ­ Memorability similar to more complex passwords è How can we make generated passphrases more attractive? TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 5
IMPROVING PHRASES: SHOW ALTERNATIVES Challenges of suggesting passphrases: ­ Unattractive word constellation, e.g. Girth-Infix-Thine-Propyl ­ Users mistrust password suggestions, especially if they “look insecure” è How can we highlight the benefits and convince users of passphrase security? è Use password meters and the decoy effect TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 6 astley123 Tr0ub4dor&3 CorrectHorseBatteryStaple
THEORETICAL BACKGROUND & CONCEPT DEVELOPMENT TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 7
PERSUASION & NUDGING Password meters and feedback: TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 8 Shay et al., CHI 2015 Suggestion and guidance: Yahoo Dropbox eBay tumblr
THE DECOY EFFECT - EXAMPLE TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 9 328€ 799€
THE DECOY EFFECT - EXAMPLE TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 10 1799€328€ 799€
THE DECOY EFFECT - EXAMPLE TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 11 1799€328€ 799€ Competitor Low quality Low price Target High quality Higher price Decoy High quality Highest price
THE DECOY EFFECT - EXAMPLE TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 12 1799€328€ 799€ Competitor Low quality Low price Target High quality Higher price Decoy High quality Highest price
RESEARCH QUESTIONS RQ1: Can we make suggested passwords more attractive with the decoy effect? RQ2: Do password-suggestions influence self-selected passwords? RQ3: How is password memorability affected by suggesting random passwords? TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 13
CONCEPT Choice architecture revolves around suggesting alternatives ­ Competitor: self-selected password ­ Target: passphrase highest strength ­ Decoy: mangled dictionary word high strength TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 14 CorrectHorseBatteryStaple Tr0ub4Dor&8
STRENGTH VS EFFORT TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 15 1 2 3 4 5 Strength Effort Competitor Target DecoyCorrectHorseBatteryStaple Tr0ub4Dor&8
USER STUDY TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 16
STUDY DESIGN Between groups with four conditions: ­ Control: no suggestions ­ Words: passphrase of 4 dictionary words ­ Mangled: mangled dictionary word + special character + digits ­ Decoy: both the passphrase and the mangled password Two study sessions ­ Session 1: Password selection, qualitative feedback ­ Session 2: Memorability, qualitative feedback Conducted on-line with crowdsourcing tool Prolific.ac TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 17
USER-INTERFACES: CONTROL GROUP TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 18 No suggestion
USER-INTERFACES: WORDS TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 19 Suggestion: Passphrase = Target-item only
USER-INTERFACES: MANGLED TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 20 Suggestion: Mangled password = Decoy-item only
USER-INTERFACES: DECOY TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 21 Two suggestions: Mangled password Passphrase
SAMPLE & DEMOGRAPHY N = 83 valid responses from both sessions (35 female participants) Recruiting only in USA (58%) and UK (42%) Average age 30 years (SD=10, [18;61]) 78% employed, 12% students, 10% unemployed Group distribution: TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 22 18 24 21 20 Control Words Mangled Decoy
MEASUREMENTS Passwords were not collected in plain text Strength estimation: zxcvbn algorithm (D. Wheeler, USENIX Security ‘16) ­ estimated guesses for sophisticated attackers ­ strength score (0 - 4) ­ length ­ uppercase, lowercase, digits, special characters Qualitative feedback and self-assessment TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 23
RESULTS TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 24
SUGGESTION ATTRACTIVENESS 9 respondents (14%) accepted a suggestion (4 in Words, 2 in Mangled, 3 in Decoy) Main reason for declining: Lack of personalization Memorability results: ­ generally low performance for all participants (40% overall success rate) ­ 1 of the 9 respondents who accepted was able to recall the mangled password TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 25
INFLUENCE ON PASSWORD GUESSABILITY ●● ●● ●● ●● ●● ●● Mangled−Control Words−Control Words−Mangled Decoy−Control Decoy−Mangled Decoy−Words −5 0 5 ●● ●● p<0.05 Non−Sig TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 26
INFLUENCE ON PASSWORD GUESSABILITY ●● ●● ●● ●● ●● ●● Mangled−Control Words−Control Words−Mangled Decoy−Control Decoy−Mangled Decoy−Words −5 0 5 ●● ●● p<0.05 Non−Sig TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 27
POLICY CLASSIFICATION TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 28 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Control Mangled Words Decoy Basic Complex
POLICY CLASSIFICATION TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 29 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Control Mangled Words Decoy Basic Complex
DISCUSSION TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 30
SUGGESTION REJECTED, YET INFLUENCED Participants were influenced by suggestions: ­ The passphrase nudged participants to elongate their own password. ­ The mangled password nudged them to fulfill complex policies. The decoy effect did not make suggestions more attractive. Implications ­ Display one suggestion during password creation instead of two. ­ Use context to decide which suggestion to display TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 31
BASELINE STRENGTHS WERE VERY HIGH 72 % created a “strong” password. Passwords in all conditions were estimated stronger than those found in leaked data. Implications ­ Only display suggestions when necessary. ­ Evaluate our nudging approach in the wild to validate the effect. TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 32
OUTLOOK TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 33
TAKE HOME MESSAGES § The presence of a suggestion can have an influence on self-selected passwords. § Suggest one password and provide feed-forward to the user. (“Here’s a strong password for you: ...”) § The decoy effect does not translate to passwords directly. § Other disciplines can inspire concepts and produce unanticipated results. TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 34
THANKS! Tobias Seitz, Emanuel von Zezschwitz, Stefanie Meitner, and Heinrich Hussmann tobias.seitz@ifi.lmu.de - @TbsStz TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 35
REFERENCES 1. Morrie Gasser. 1975. A Random Word Generator for Pronounceable Passwords. Bedford, Massachusetts. Retrieved from http://www.dtic.mil/cgi- bin/GetTRDoc?AD=ADA017676 2. Marjan Ghazvininejad and Kevin Knight. 2015. How to Memorize a Random 60-Bit String. 3. Richard Shay, Patrick Gage Kelley, Saranga Komanduri, et al. 2012. Correct Horse Battery Staple. Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ’12), ACM, 1–20. http://doi.org/10.1145/2335356.2335366 4. Daniel Lowe Wheeler. zxcvbn : Low-Budget Password Strength Estimation. To appear in: Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), USENIX Association, 17 pages. TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 36
REFERENCES 5. Seitz, T., von Zezschwitz, E., Meitner, S., & Hussmann, H. (2016). Influencing Self-selected Passwords Through Suggestions and the Decoy Effect. In Proceedings of the EuroUSEC Workshop, Internet Society, Darmstadt. 8 Pages. 6. Shay, R., Komanduri, S., Durity, A. L., Huh, P. S., Mazurek, M. L., Segreti, S. M., … Cranor, L. F. (2014). Can Long Passwords Be Secure and Usable? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI ’14). http://doi.org/http://dx.doi.org/10.1145/2556288.2557377 TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 37

Recomendados

Context Effects
Context EffectsContext Effects
Context Effectspauloudenhooven
 
Human/User-Centric Security
Human/User-Centric SecurityHuman/User-Centric Security
Human/User-Centric SecurityShujun Li
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalNSConclave
 
When will passwords die? Research challenges and opportunities in user authen...
When will passwords die? Research challenges and opportunities in user authen...When will passwords die? Research challenges and opportunities in user authen...
When will passwords die? Research challenges and opportunities in user authen...Shujun Li
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseShujun Li
 
Privacy in AI/ML Systems: Practical Challenges and Lessons Learned
Privacy in AI/ML Systems: Practical Challenges and Lessons LearnedPrivacy in AI/ML Systems: Practical Challenges and Lessons Learned
Privacy in AI/ML Systems: Practical Challenges and Lessons LearnedKrishnaram Kenthapadi
 
Deep Generative Models
Deep Generative Models Deep Generative Models
Deep Generative Models Chia-Wen Cheng
 

Recomendados

Context Effects
Context EffectsContext Effects
Context Effectspauloudenhooven
 
Human/User-Centric Security
Human/User-Centric SecurityHuman/User-Centric Security
Human/User-Centric SecurityShujun Li
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalNSConclave
 
When will passwords die? Research challenges and opportunities in user authen...
When will passwords die? Research challenges and opportunities in user authen...When will passwords die? Research challenges and opportunities in user authen...
When will passwords die? Research challenges and opportunities in user authen...Shujun Li
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseShujun Li
 
Privacy in AI/ML Systems: Practical Challenges and Lessons Learned
Privacy in AI/ML Systems: Practical Challenges and Lessons LearnedPrivacy in AI/ML Systems: Practical Challenges and Lessons Learned
Privacy in AI/ML Systems: Practical Challenges and Lessons LearnedKrishnaram Kenthapadi
 
Deep Generative Models
Deep Generative Models Deep Generative Models
Deep Generative Models Chia-Wen Cheng
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksVenafi
 
Social engineering via social media
Social engineering via social mediaSocial engineering via social media
Social engineering via social mediab coatesworth
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameKelly Shortridge
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityShujun Li
 
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your OrganizationRaffa Learning Community
 
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...Elena Simperl
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and ConsequencesMohammed Almeshekah
 
Securing password
Securing passwordSecuring password
Securing passwordsplendorcollege
 
SpatzAI powering Bold Idea Sharing Spat by Spat
SpatzAI powering Bold Idea Sharing Spat by SpatSpatzAI powering Bold Idea Sharing Spat by Spat
SpatzAI powering Bold Idea Sharing Spat by SpatDesmond Sherlock
 
SpatzAI Powering Bold Idea Sharing in Teams Spat by Spat
SpatzAI Powering Bold Idea Sharing in Teams Spat by SpatSpatzAI Powering Bold Idea Sharing in Teams Spat by Spat
SpatzAI Powering Bold Idea Sharing in Teams Spat by SpatDesmond Sherlock
 
Cyber security
Cyber securityCyber security
Cyber securityyagyabuttan1
 
SpatzAI Powering Bold Idea-sharing Spat by Spat
SpatzAI Powering Bold Idea-sharing Spat by SpatSpatzAI Powering Bold Idea-sharing Spat by Spat
SpatzAI Powering Bold Idea-sharing Spat by SpatDesmond Sherlock
 
Software craftsmanship and you a strong foundation in your team
Software craftsmanship and you a strong foundation in your teamSoftware craftsmanship and you a strong foundation in your team
Software craftsmanship and you a strong foundation in your teamDattatray Kale
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Nevada County Tech Connection
 
SpatzAI Daring Teams to Address Workplace Misbehavior on the Fly
SpatzAI Daring Teams to Address Workplace Misbehavior on the FlySpatzAI Daring Teams to Address Workplace Misbehavior on the Fly
SpatzAI Daring Teams to Address Workplace Misbehavior on the FlyDesmond Sherlock
 
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017Denys Malengreau
 
Technology Thought Leadership: Shuman Ghosemajumder
Technology Thought Leadership: Shuman GhosemajumderTechnology Thought Leadership: Shuman Ghosemajumder
Technology Thought Leadership: Shuman GhosemajumderAmazon Web Services
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentationJoan Dembowski
 
300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptxryanrooker
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .Poonam Aher Patil
 

Más contenido relacionado

Similar a Influencing Self-selected Passwords Through Suggestions and the Decoy Effect - Presentation

Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksVenafi
 
Social engineering via social media
Social engineering via social mediaSocial engineering via social media
Social engineering via social mediab coatesworth
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameKelly Shortridge
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityShujun Li
 
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your OrganizationRaffa Learning Community
 
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...Elena Simperl
 
SpatzAI powering Bold Idea Sharing Spat by Spat
SpatzAI powering Bold Idea Sharing Spat by SpatSpatzAI powering Bold Idea Sharing Spat by Spat
SpatzAI powering Bold Idea Sharing Spat by SpatDesmond Sherlock
 
SpatzAI Powering Bold Idea Sharing in Teams Spat by Spat
SpatzAI Powering Bold Idea Sharing in Teams Spat by SpatSpatzAI Powering Bold Idea Sharing in Teams Spat by Spat
SpatzAI Powering Bold Idea Sharing in Teams Spat by SpatDesmond Sherlock
 
SpatzAI Powering Bold Idea-sharing Spat by Spat
SpatzAI Powering Bold Idea-sharing Spat by SpatSpatzAI Powering Bold Idea-sharing Spat by Spat
SpatzAI Powering Bold Idea-sharing Spat by SpatDesmond Sherlock
 
Software craftsmanship and you a strong foundation in your team
Software craftsmanship and you a strong foundation in your teamSoftware craftsmanship and you a strong foundation in your team
Software craftsmanship and you a strong foundation in your teamDattatray Kale
 
SpatzAI Daring Teams to Address Workplace Misbehavior on the Fly
SpatzAI Daring Teams to Address Workplace Misbehavior on the FlySpatzAI Daring Teams to Address Workplace Misbehavior on the Fly
SpatzAI Daring Teams to Address Workplace Misbehavior on the FlyDesmond Sherlock
 
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017Denys Malengreau
 
Technology Thought Leadership: Shuman Ghosemajumder
Technology Thought Leadership: Shuman GhosemajumderTechnology Thought Leadership: Shuman Ghosemajumder
Technology Thought Leadership: Shuman GhosemajumderAmazon Web Services
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentationJoan Dembowski
 

Similar a Influencing Self-selected Passwords Through Suggestions and the Decoy Effect - Presentation (20)

Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and Attacks
 
Social engineering via social media
Social engineering via social mediaSocial engineering via social media
Social engineering via social media
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
 
Password Security
Password SecurityPassword Security
Password Security
 
Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets Usability
 
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
 
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...
One does not simply crowdsource the Semantic Web: 10 years with people, URIs,...
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
 
Securing password
Securing passwordSecuring password
Securing password
 
SpatzAI powering Bold Idea Sharing Spat by Spat
SpatzAI powering Bold Idea Sharing Spat by SpatSpatzAI powering Bold Idea Sharing Spat by Spat
SpatzAI powering Bold Idea Sharing Spat by Spat
 
SpatzAI Powering Bold Idea Sharing in Teams Spat by Spat
SpatzAI Powering Bold Idea Sharing in Teams Spat by SpatSpatzAI Powering Bold Idea Sharing in Teams Spat by Spat
SpatzAI Powering Bold Idea Sharing in Teams Spat by Spat
 
Cyber security
Cyber securityCyber security
Cyber security
 
SpatzAI Powering Bold Idea-sharing Spat by Spat
SpatzAI Powering Bold Idea-sharing Spat by SpatSpatzAI Powering Bold Idea-sharing Spat by Spat
SpatzAI Powering Bold Idea-sharing Spat by Spat
 
Software craftsmanship and you a strong foundation in your team
Software craftsmanship and you a strong foundation in your teamSoftware craftsmanship and you a strong foundation in your team
Software craftsmanship and you a strong foundation in your team
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 
SpatzAI Daring Teams to Address Workplace Misbehavior on the Fly
SpatzAI Daring Teams to Address Workplace Misbehavior on the FlySpatzAI Daring Teams to Address Workplace Misbehavior on the Fly
SpatzAI Daring Teams to Address Workplace Misbehavior on the Fly
 
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017
LINKEDIN ET L’INSTITUTION ÉDUCATIVE - EPHEC - 21/11/2017
 
Technology Thought Leadership: Shuman Ghosemajumder
Technology Thought Leadership: Shuman GhosemajumderTechnology Thought Leadership: Shuman Ghosemajumder
Technology Thought Leadership: Shuman Ghosemajumder
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentation
 

Último

300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptxryanrooker
 
Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformationAreesha Ahmad
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)Areesha Ahmad
 
Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate ProfessorThyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate Professormuralinath2
 
Zoology 5th semester notes( Sumit_yadav).pdf
Zoology 5th semester notes( Sumit_yadav).pdfZoology 5th semester notes( Sumit_yadav).pdf
Zoology 5th semester notes( Sumit_yadav).pdfSumit Kumar yadav
 
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIACURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIADr. TATHAGAT KHOBRAGADE
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bSérgio Sacani
 
FAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
FAIRSpectra - Enabling the FAIRification of Spectroscopy and SpectrometryFAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
FAIRSpectra - Enabling the FAIRification of Spectroscopy and SpectrometryAlex Henderson
 
biology HL practice questions IB BIOLOGY
biology HL practice questions IB BIOLOGYbiology HL practice questions IB BIOLOGY
biology HL practice questions IB BIOLOGY1301aanya
 
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Silpa
 
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...Scintica Instrumentation
 
development of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusdevelopment of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusNazaninKarimi6
 
Human & Veterinary Respiratory Physilogy_DR.E.Muralinath_Associate Professor....
Human & Veterinary Respiratory Physilogy_DR.E.Muralinath_Associate Professor....Human & Veterinary Respiratory Physilogy_DR.E.Muralinath_Associate Professor....
Human & Veterinary Respiratory Physilogy_DR.E.Muralinath_Associate Professor....muralinath2
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 
Stages in the normal growth curve
Stages in the normal growth curveStages in the normal growth curve
Stages in the normal growth curveAreesha Ahmad
 
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsBiogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsSérgio Sacani
 
Velocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptVelocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptRakeshMohan42
 
Use of mutants in understanding seedling development.pptx
Use of mutants in understanding seedling development.pptxUse of mutants in understanding seedling development.pptx
Use of mutants in understanding seedling development.pptxRenuJangid3
 
POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.Silpa
 

Último (20)

300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .
 
Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformation
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)
 
Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate ProfessorThyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
 
Zoology 5th semester notes( Sumit_yadav).pdf
Zoology 5th semester notes( Sumit_yadav).pdfZoology 5th semester notes( Sumit_yadav).pdf
Zoology 5th semester notes( Sumit_yadav).pdf
 
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIACURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
 
FAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
FAIRSpectra - Enabling the FAIRification of Spectroscopy and SpectrometryFAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
FAIRSpectra - Enabling the FAIRification of Spectroscopy and Spectrometry
 
biology HL practice questions IB BIOLOGY
biology HL practice questions IB BIOLOGYbiology HL practice questions IB BIOLOGY
biology HL practice questions IB BIOLOGY
 
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
 
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
 
development of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusdevelopment of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virus
 
Human & Veterinary Respiratory Physilogy_DR.E.Muralinath_Associate Professor....
Human & Veterinary Respiratory Physilogy_DR.E.Muralinath_Associate Professor....Human & Veterinary Respiratory Physilogy_DR.E.Muralinath_Associate Professor....
Human & Veterinary Respiratory Physilogy_DR.E.Muralinath_Associate Professor....
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
Stages in the normal growth curve
Stages in the normal growth curveStages in the normal growth curve
Stages in the normal growth curve
 
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsBiogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
 
Velocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptVelocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.ppt
 
Use of mutants in understanding seedling development.pptx
Use of mutants in understanding seedling development.pptxUse of mutants in understanding seedling development.pptx
Use of mutants in understanding seedling development.pptx
 
POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.
 

Influencing Self-selected Passwords Through Suggestions and the Decoy Effect - Presentation

  • 1. INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT Tobias Seitz, Emanuel von Zezschwitz, Stefanie Meitner, Heinrich Hussmann Media Informatics Group LMU Munich
  • 2. TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 3 http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/
  • 3. IMPROVING ‘DADADA’: GENERATED PASSWORDS Security: Random system generated passwords would help to secure an account Usability: Password manager necessary for passwords like XN69Nt3uSDJxhJMd è How can we make generated passwords more usable? TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 4 Rhymes? (Ghazvininejad & Knight 2015) Pronounceable Syllables? (Gasser 1975) Real words? (Shay et al. 2012)
  • 4. IMPROVING GENERATED PASSWORDS: PHRASES CorrectHorseBatteryStaple Security: Word-based passphrases perform well against cracking attacks Usability: ­ Easy to type, but more prone to typos than shorter passwords ­ Memorability similar to more complex passwords è How can we make generated passphrases more attractive? TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 5
  • 5. IMPROVING PHRASES: SHOW ALTERNATIVES Challenges of suggesting passphrases: ­ Unattractive word constellation, e.g. Girth-Infix-Thine-Propyl ­ Users mistrust password suggestions, especially if they “look insecure” è How can we highlight the benefits and convince users of passphrase security? è Use password meters and the decoy effect TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 6 astley123 Tr0ub4dor&3 CorrectHorseBatteryStaple
  • 6. THEORETICAL BACKGROUND & CONCEPT DEVELOPMENT TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 7
  • 7. PERSUASION & NUDGING Password meters and feedback: TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 8 Shay et al., CHI 2015 Suggestion and guidance: Yahoo Dropbox eBay tumblr
  • 8. THE DECOY EFFECT - EXAMPLE TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 9 328€ 799€
  • 9. THE DECOY EFFECT - EXAMPLE TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 10 1799€328€ 799€
  • 10. THE DECOY EFFECT - EXAMPLE TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 11 1799€328€ 799€ Competitor Low quality Low price Target High quality Higher price Decoy High quality Highest price
  • 11. THE DECOY EFFECT - EXAMPLE TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 12 1799€328€ 799€ Competitor Low quality Low price Target High quality Higher price Decoy High quality Highest price
  • 12. RESEARCH QUESTIONS RQ1: Can we make suggested passwords more attractive with the decoy effect? RQ2: Do password-suggestions influence self-selected passwords? RQ3: How is password memorability affected by suggesting random passwords? TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 13
  • 13. CONCEPT Choice architecture revolves around suggesting alternatives ­ Competitor: self-selected password ­ Target: passphrase highest strength ­ Decoy: mangled dictionary word high strength TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 14 CorrectHorseBatteryStaple Tr0ub4Dor&8
  • 14. STRENGTH VS EFFORT TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 15 1 2 3 4 5 Strength Effort Competitor Target DecoyCorrectHorseBatteryStaple Tr0ub4Dor&8
  • 15. USER STUDY TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 16
  • 16. STUDY DESIGN Between groups with four conditions: ­ Control: no suggestions ­ Words: passphrase of 4 dictionary words ­ Mangled: mangled dictionary word + special character + digits ­ Decoy: both the passphrase and the mangled password Two study sessions ­ Session 1: Password selection, qualitative feedback ­ Session 2: Memorability, qualitative feedback Conducted on-line with crowdsourcing tool Prolific.ac TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 17
  • 17. USER-INTERFACES: CONTROL GROUP TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 18 No suggestion
  • 18. USER-INTERFACES: WORDS TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 19 Suggestion: Passphrase = Target-item only
  • 19. USER-INTERFACES: MANGLED TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 20 Suggestion: Mangled password = Decoy-item only
  • 20. USER-INTERFACES: DECOY TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 21 Two suggestions: Mangled password Passphrase
  • 21. SAMPLE & DEMOGRAPHY N = 83 valid responses from both sessions (35 female participants) Recruiting only in USA (58%) and UK (42%) Average age 30 years (SD=10, [18;61]) 78% employed, 12% students, 10% unemployed Group distribution: TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 22 18 24 21 20 Control Words Mangled Decoy
  • 22. MEASUREMENTS Passwords were not collected in plain text Strength estimation: zxcvbn algorithm (D. Wheeler, USENIX Security ‘16) ­ estimated guesses for sophisticated attackers ­ strength score (0 - 4) ­ length ­ uppercase, lowercase, digits, special characters Qualitative feedback and self-assessment TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 23
  • 23. RESULTS TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 24
  • 24. SUGGESTION ATTRACTIVENESS 9 respondents (14%) accepted a suggestion (4 in Words, 2 in Mangled, 3 in Decoy) Main reason for declining: Lack of personalization Memorability results: ­ generally low performance for all participants (40% overall success rate) ­ 1 of the 9 respondents who accepted was able to recall the mangled password TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 25
  • 25. INFLUENCE ON PASSWORD GUESSABILITY ●● ●● ●● ●● ●● ●● Mangled−Control Words−Control Words−Mangled Decoy−Control Decoy−Mangled Decoy−Words −5 0 5 ●● ●● p<0.05 Non−Sig TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 26
  • 26. INFLUENCE ON PASSWORD GUESSABILITY ●● ●● ●● ●● ●● ●● Mangled−Control Words−Control Words−Mangled Decoy−Control Decoy−Mangled Decoy−Words −5 0 5 ●● ●● p<0.05 Non−Sig TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 27
  • 27. POLICY CLASSIFICATION TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 28 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Control Mangled Words Decoy Basic Complex
  • 28. POLICY CLASSIFICATION TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 29 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Control Mangled Words Decoy Basic Complex
  • 29. DISCUSSION TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 30
  • 30. SUGGESTION REJECTED, YET INFLUENCED Participants were influenced by suggestions: ­ The passphrase nudged participants to elongate their own password. ­ The mangled password nudged them to fulfill complex policies. The decoy effect did not make suggestions more attractive. Implications ­ Display one suggestion during password creation instead of two. ­ Use context to decide which suggestion to display TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 31
  • 31. BASELINE STRENGTHS WERE VERY HIGH 72 % created a “strong” password. Passwords in all conditions were estimated stronger than those found in leaked data. Implications ­ Only display suggestions when necessary. ­ Evaluate our nudging approach in the wild to validate the effect. TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 32
  • 32. OUTLOOK TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 33
  • 33. TAKE HOME MESSAGES § The presence of a suggestion can have an influence on self-selected passwords. § Suggest one password and provide feed-forward to the user. (“Here’s a strong password for you: ...”) § The decoy effect does not translate to passwords directly. § Other disciplines can inspire concepts and produce unanticipated results. TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 34
  • 34. THANKS! Tobias Seitz, Emanuel von Zezschwitz, Stefanie Meitner, and Heinrich Hussmann tobias.seitz@ifi.lmu.de - @TbsStz TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 35
  • 35. REFERENCES 1. Morrie Gasser. 1975. A Random Word Generator for Pronounceable Passwords. Bedford, Massachusetts. Retrieved from http://www.dtic.mil/cgi- bin/GetTRDoc?AD=ADA017676 2. Marjan Ghazvininejad and Kevin Knight. 2015. How to Memorize a Random 60-Bit String. 3. Richard Shay, Patrick Gage Kelley, Saranga Komanduri, et al. 2012. Correct Horse Battery Staple. Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ’12), ACM, 1–20. http://doi.org/10.1145/2335356.2335366 4. Daniel Lowe Wheeler. zxcvbn : Low-Budget Password Strength Estimation. To appear in: Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), USENIX Association, 17 pages. TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 36
  • 36. REFERENCES 5. Seitz, T., von Zezschwitz, E., Meitner, S., & Hussmann, H. (2016). Influencing Self-selected Passwords Through Suggestions and the Decoy Effect. In Proceedings of the EuroUSEC Workshop, Internet Society, Darmstadt. 8 Pages. 6. Shay, R., Komanduri, S., Durity, A. L., Huh, P. S., Mazurek, M. L., Segreti, S. M., … Cranor, L. F. (2014). Can Long Passwords Be Secure and Usable? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI ’14). http://doi.org/http://dx.doi.org/10.1145/2556288.2557377 TOBIAS.SEITZ@IFI.LMU.DE - INFLUENCING SELF-SELECTED PASSWORDS THROUGH SUGGESTIONS AND THE DECOY EFFECT 37