Password advice shouldn't be boring: Visualizing password guessing attacks

Users are susceptible to password guessing attacks when they create weak passwords. Despite an abundance of text-based password advice, it appears insufficient to help home users create strong memorable passwords. We propose that users would be empowered to make better password choices if they understood how password guessing attacks work through visual communication. We created three infographic posters and an online educational comic to help users to learn about the threats. We conducted two studies to assess their effectiveness. All four methods led to superior learning outcomes than the text-alone approach. Our pre-test questionnaires also highlighted that users' understanding of password guessing attacks is limited to a “target” mental model. One week after viewing our materials, the majority of users created strong sample passwords, and correctly described all three attacks: targeted, dictionary, and brute-force.

[1]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[2]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[3]  Stefan Gorling,et al.  The Myth of User Education , 2006 .

[4]  A. Nijholt Embodied Agents: A New Impetus to Humor Research , 2002 .

[5]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[6]  南湖秋水 Google Chrome“难看”网页变好看 , 2010 .

[7]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.

[8]  Steven Hsu,et al.  A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings , 2011, SOUPS.

[9]  A. Paivio Dual coding theory: Retrospect and current status. , 1991 .

[10]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[11]  Valérie Gyselinck,et al.  The role of illustrations in text comprehension: What, when, for whom, and why? , 1999 .

[12]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[13]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[14]  Mark Tokutomi Password Cracking , 2012 .

[15]  R. Biddle,et al.  A Review of Humor for Computer Games: Play, Laugh and More , 2009 .

[16]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[17]  Richard E. Mayer,et al.  When less is more: Meaningful learning from visual and verbal summaries of science textbook lessons. , 1996 .

[18]  Aaron Marcus Metaphors and user interfaces in the 21st Century , 2002, INTR.

[19]  Tyler J. Bowles,et al.  Don’t Be a Target , 2001 .

[20]  John S. Risch On the role of metaphor in information visualization , 2008, ArXiv.

[21]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[22]  Rick Wash,et al.  Influencing mental models of security: a research agenda , 2011, NSPW '11.

[23]  Stephen M. Fiore,et al.  Scaffolding cognitive and metacognitive processes in low verbal ability learners: Use of diagrams in computer-based training environments , 2002 .

[24]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[25]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[26]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[27]  Lih-Juan ChanLin,et al.  The Effects of Verbal Elaboration and Visual Elaboration on Student Learning , 1997 .

[28]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[29]  Mark Johnson,et al.  The Metaphorical Structure of the Human Conceptual System , 1980, Cogn. Sci..

[30]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[31]  Martin M. A. Devillers Analyzing Password Strength , 2010 .