论文信息 - BREAKING: Password Entry Is Fine

BREAKING: Password Entry Is Fine

In our digital world, we have become well acquainted with the login form—username shown in plaintext, password shown in asterisks or dots. This design dates back to the early days of terminal computing, and despite huge changes in nearly every other area, the humble login form remains largely untouched. When coupled with the ubiquity of smartphones, this means we often find ourselves entering complex passwords on a tiny touchscreen keyboard with little or no visual feedback on what is being typed. This paper explores how password masking on mobile devices affects the error rate for password entry. We created an app where users entered selected passwords into masked and unmasked password fields, measuring various metrics such as typing speed, error rate, and number of backspaces. We then did an exploratory analysis of the data. Our findings show that, perhaps unexpectedly, there is no significant difference between masked and unmasked passwords for any of these metrics.

Stephan Neuhaus | Catlin Pidel

[1] Antti Oulasvirta,et al. Text Entry Method Affects Password Security , 2014, ArXiv.

[2] Robert Biddle,et al. A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[3] Michael Weber,et al. Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[4] Alain Forget,et al. User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[5] Paul C. van Oorschot,et al. A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[6] Blase Ur,et al. Usability and Security of Text Passwords on Mobile Devices , 2016, CHI.

[7] Joseph Bonneau,et al. The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[8] Melissa A. Gallagher. Modeling Password Entry on Mobile Devices: Please Check Your Password and Try Again , 2015 .

[9] Christine L. MacKenzie,et al. Computer user verification using login string keystroke dynamics , 1998, IEEE Trans. Syst. Man Cybern. Part A.

[10] Nils Gruschka,et al. Password Visualization beyond Password Masking , 2010, INC.

[11] Kristen K. Greene,et al. Measuring the Usability and Security of Permuted Passwords on Mobile Platforms , 2016 .