Addressing misconceptions about password security effectively

Nowadays, most users need more passwords than they can handle. Consequently, users have developed a multitude of strategies to cope with this situation. Some of these coping strategies are based on misconceptions about password security. In such cases, the users are unaware of their insecure password practices. Addressing the misconceptions is vital in order to decrease insecure coping strategies. We conducted a systematic literature review with the goal to provide an overview of the misconceptions about password security. Our literature review revealed that misconceptions exist in basically all aspects of password security. Furthermore, we developed interventions to address these misconceptions. Then, we evaluated the interventions' effectiveness in decreasing the misconceptions at three small and medium sized enterprises (SME). Our results show that the interventions decrease the overall prevalence of misconceptions significantly in the participating employees.

[1]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[2]  Johann Kranz,et al.  Antecedents of Employees' Information Security Awareness - Review, synthesis, and Directions for Future Research , 2017, ECIS.

[3]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[4]  Darren Gergle,et al.  Being there versus seeing there: trust via video , 2001, CHI Extended Abstracts.

[5]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[6]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[7]  Serge Egelman,et al.  THE ANATOMY OF SMARTPHONE UNLOCKING: Why and How Android Users Around the World Lock their Phones , 2017, GETMBL.

[8]  Mohammad Maifi Hasan Khan,et al.  An investigation into users’ considerations towards using password managers , 2017, Human-centric Computing and Information Sciences.

[9]  Caitlin Rinn,et al.  Password creation strategies across high‐ and low‐literacy web users , 2015, ASIST.

[10]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[11]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[12]  Jacques Ophoff,et al.  Security awareness and adoption of security controls by smartphone users , 2015, 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec).

[13]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[14]  Audun Jøsang,et al.  Passwords are not always stronger on the other side of the fence , 2015 .

[15]  Melanie Volkamer,et al.  Don't Be Deceived: The Message Might Be Fake , 2017, TrustBus.

[16]  Ping Wang,et al.  fuzzyPSM: A New Password Strength Meter Using Fuzzy Probabilistic Context-Free Grammars , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[17]  Mohammed Awad,et al.  Password security: Password behavior analysis at a small university , 2016, 2016 5th International Conference on Electronic Devices, Systems and Applications (ICEDSA).

[18]  Paul A. Grassi,et al.  Digital identity guidelines: revision 3 , 2017 .

[19]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[20]  Julie Thorpe,et al.  Visualizing semantics in passwords: the role of dates , 2012, VizSec '12.

[21]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[22]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[23]  Paul C. van Oorschot,et al.  Quantifying the security advantage of password expiration policies , 2015, Des. Codes Cryptogr..

[24]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[25]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.

[26]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[27]  Elizabeth Stobert,et al.  Expert Password Management , 2015, PASSWORDS.

[28]  Peter Mayer,et al.  Teaching Phishing-Security: Which Way is Best? , 2016, SEC.

[29]  Sebastian Günther,et al.  A Comparison of American and German Folk Models of Home Computer Security , 2013, HCI.

[30]  Elena Rocco,et al.  Trust breaks down in electronic contexts but can be repaired by some initial face-to-face contact , 1998, CHI.

[31]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[32]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[33]  Elizabeth Stobert The agony of passwords: can we learn from user coping strategies? , 2014, CHI Extended Abstracts.

[34]  Birgy Lorenz,et al.  "The Four Most-Used Passwords Are Love, Sex, Secret, and God": Password Security and Training in Different User Groups , 2013, HCI.

[35]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.