Password sharing: implications for security design based on social practice

Current systems for banking authentication require that customers not reveal their access codes, even to members of the family. A study of banking and security in Australia shows that the practice of sharing passwords does not conform to this requirement. For married and de facto couples, password sharing is seen as a practical way of managing money and a demonstration of trust. Sharing Personal Identification Numbers (PINs) is a common practice among remote indigenous communities in Australia. In areas with poor banking access, this is the only way to access cash. People with certain disabilities have to share passwords with carers, and PIN numbers with retail clerks. In this paper we present the findings of a qualitative user study of banking and money management. We suggest design criteria for banking security systems, based on observed social and cultural practices of password and PIN number sharing.

[1]  P. Agre,et al.  Technology and privacy: The new landscape , 1998 .

[2]  Jung-ki Lee,et al.  Effects of personal control on adoption of self‐service technology innovations , 2002 .

[3]  Ruey-Lin Hsiao,et al.  Technology fears: distrust and cultural persistence in electronic marketplace adoption , 2003, J. Strateg. Inf. Syst..

[4]  Donald A. Norman,et al.  The invisible computer , 1998 .

[5]  David Bollier,et al.  The future of electronic commerce : a report of the fourth annual Aspen Institute Roundtable on Information Technology, Aspen, Colorado, August 17-20, 1995 , 1996 .

[6]  Supriya Singh,et al.  Marriage Money: The Social Shaping of Money in Marriage and Banking , 1997 .

[7]  Mark S. Ackerman,et al.  The Intellectual Challenge of CSCW: The Gap Between Social Requirements and Technical Feasibility , 2000, Hum. Comput. Interact..

[8]  Edward W. Felten,et al.  Secrecy, flagging, and paranoia: adoption criteria in encrypted email , 2006, CHI.

[9]  Trevor Barr,et al.  Taking users up the value chain , 2003 .

[10]  Lyn Richards,et al.  Readme First for a User's Guide to Qualitative Methods , 2002 .

[11]  Paul Dourish,et al.  Unpacking "privacy" for a networked world , 2003, CHI '03.

[12]  C. Haythornthwaite,et al.  The Internet in Everyday Life: An Introduction , 2008 .

[13]  Jenine Beekhuyzen,et al.  The Bank and I: Privacy, Banking and Life Stage , 2006 .

[14]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[15]  Jonathan Grudin,et al.  A study of preferences for sharing and privacy , 2005, CHI Extended Abstracts.

[16]  Danny Miller,et al.  The Internet: An Ethnographic Approach , 2000 .

[17]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[18]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[19]  Ivan Flechais,et al.  Usable Security: Why Do We Need It? How Do We Get It? , 2005 .

[20]  Nigel Bevan Design for usability , 1999, HCI.

[21]  Clare-Marie Karat,et al.  Why HCI research in privacy and security is critical now , 2005, Int. J. Hum. Comput. Stud..

[22]  Supriya Singh,et al.  Centre for International Research on Communication and Information Technologies , 1997 .

[23]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[24]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[25]  Jonathan Grudin,et al.  Trust and accountability: preserving human values in interactional experience , 1998, CHI Conference Summary.

[26]  Clare-Marie Karat,et al.  Editorial: why HCI research in privacy and security is critical now , 2005 .

[27]  Michael Grüninger,et al.  Introduction , 2002, CACM.

[28]  Chang Liu,et al.  Beyond concern - a privacy-trust-behavioral intention model of electronic commerce , 2004, Inf. Manag..

[29]  N. Luhmann Familiarity, Confidence, Trust: Problems and Alternatives , 2000 .

[30]  Ka-Ping Yee,et al.  Aligning Security and Usability , 2004, IEEE Secur. Priv..

[31]  Ingoo Han,et al.  Effect of trust on customer acceptance of Internet banking , 2002, Electron. Commer. Res. Appl..

[32]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[33]  W. Dutton Society on the line: information politics in the digital age oxford university press , 1999 .

[34]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[35]  V. Zelizer The Social Meaning of Money , 2021 .

[36]  R. Dreyer All in the family. , 1990, RDH.

[37]  Supriya Singh,et al.  The privacy of money and health: a user study , 2004 .