Abstract
Managing passwords is a difficult task for users, who must create, remember, and keep track of large numbers of passwords. In this work, we investigated users’ coping strategies for password management. Through a series of interviews, we identified a “life cycle” of password use and find that users’ central task in coping with their passwords is rationing their effort to best protect their important accounts. We followed up this work by interviewing experts about their password management practices and found that experts rely on the same kinds of coping strategies as non-experts, but that their increased situation awareness of security allows them to better ration their effort into protecting their accounts. Finally, we conducted a survey study to explore how the life cycle model generalizes to the larger population and find that the life cycle and rationing patterns can be seen in the broader population, but that survey respondents were less likely to characterize security management as a challenging task.
- Anne Adams and M. Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (Dec. 1999), 40--46. Google Scholar
Digital Library
- Anne Adams, M. Angela Sasse, and Peter Lunt. 1997. Making passwords secure and usable. In Proceedings of HCI on People and Computers XII (HCI’97). Springer-Verlag. Google Scholar
Digital Library
- AgileBits. 2015. 1Password Watchtower. Retrieved from https://watchtower.agilebits.com.Google Scholar
- Deena Alghamdi, Ivan Flechais, and Marina Jirotka. 2015. Security practices for households bank customers in the kingdom of saudi arabia. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX, 297--308.Google Scholar
- Amazon.com, Inc. 2015. Amazon Mechanical Turk: Artificial Artificial Intelligence. Retrieved from https://www.mturk.com/mturk/welcome.Google Scholar
- Farzaneh Asgharpour, Debin Liu, and L Jean Camp. 2007. Mental models of security risks. In Financial Cryptography (FC). Springer, 367--377. Google Scholar
Digital Library
- Adam Beautement, M. Angela Sasse, and Mike Wonham. 2009. The compliance budget: Managing security behaviour in organisations. In Proceedings of the 2009 Workshop on New Security Paradigms. ACM, 47--58. Google Scholar
Digital Library
- Joseph Bonneau. 2012. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 33rd IEEE Symposium on Security and Privacy. IEEE, 538--552. Google Scholar
Digital Library
- Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qual. Res. Psychol. 3, 2 (Jan. 2006), 77--101.Google Scholar
Cross Ref
- William Cheswick. 2013. Rethinking passwords. Commun. ACM 56, 2 (Feb. 2013), 40--44. Google Scholar
Digital Library
- Sonia Chiasson, Paul C. van Oorschot, and Robert Biddle. 2006. A usability study and critique of two password managers. In Proceedings of the 15th USENIX Security Symposium. USENIX, 1--16. Google Scholar
Digital Library
- Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The tangled web of password reuse. In Network and Distributed System Security Symposium. The Internet Society, San Diego, CA.Google Scholar
Cross Ref
- Paul Dourish, Rebecca E Grinter, Jessica Delgado de la Flor, and Melissa Joseph. 2004. Security in the wild: User strategies for managing security as an everyday, practical problem. Pers. Ubiq. Comput. 8, 6 (Sept. 2004), 391--401. Google Scholar
Cross Ref
- Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does my password go up to eleven?: The impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2379--2388. Google Scholar
Digital Library
- Mica R. Endsley. 1988. Design and evaluation for situation awareness enhancement. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting. 97--101.Google Scholar
Cross Ref
- Mica R. Endsley. 2006. Expertise and situational awareness. In The Cambridge Handbook of Expertise and Expert Performance, K. Anders Ericsson, Neil Charness, Paul J. Feltovich, and Robert R. Hoffman (Eds.). Cambridge University Press, Cambridge.Google Scholar
- K. Anders Ericsson. 2006. An introduction to the cambridge handbook of expertise and expert performance. In The Cambridge Handbook of Expertise and Expert Performance. Cambridge University Press, Cambridge, 3--20.Google Scholar
- Jason Fitzpatrick. 2013. How to Run a Last Pass Security Audit (and Why It Can’t Wait). Retrieved from http://www.howtogeek.com/176038/how-to-run-a-last-pass-security-audit-and-why-it-cant-wait/.Google Scholar
- Dinei Florencio and Cormac Herley. 2007. A large-scale study of web password habits. In Proceedings of the International World Wide Web Conference (IW3C2’07). 657--666. Google Scholar
Digital Library
- Dinei Florencio, Cormac Herley, and Paul C. van Oorschot. 2014. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In Proceedings of the 23rd USENIX Security Symposium. USENIX, 575--590. Google Scholar
Digital Library
- Shirley Gaw and Edward W. Felten. 2006. Password management strategies for online accounts. In Proceedings of the 2nd Symposium on Usable Privacy and Security. ACM, 44--55. Google Scholar
Digital Library
- Leo A. Goodman. 1961. Snowball sampling. Ann. Math. Stat. 32, 1 (Mar. 1961), 148--170.Google Scholar
Cross Ref
- Eiji Hayashi and Jason Hong. 2011. A diary study of password usage in daily life. In Proceedings of the International Conference on Human Factors in Computing Systems. ACM, 2627--2630. Google Scholar
Digital Library
- Cormac Herley. 2009. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the 2009 Workshop on New Security Paradigms. ACM, 133--144. Google Scholar
Digital Library
- Iulia Ion, Robert W. Reeder, and Sunny Consolvo. 2015. “...No one can hack my mind”: Comparing expert and non-expert security practices. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX.Google Scholar
- Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. “My data just goes everywhere:” User mental models of the internet and implications for privacy and security. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX.Google Scholar
Digital Library
- Kenneth J. Knapp, Thomas E. Marshall, R. Kelly Rainer, and F. Nelson Ford. 2006. Information security: Management’s effect on culture and policy. Inf. Manage. Comput. Secur. 14, 1 (Jan. 2006), 24--36.Google Scholar
Cross Ref
- LastPass. 2016. LastPass: Simplify Your Life. Retrieved from http://lastpass.com.Google Scholar
- Boon-Yuen Ng, Atreyi Kankanhalli, and Yunjie Calvin Xu. 2009. Studying users’ computer security behavior—A health belief perspective. Decis. Supp. Syst. 46 (2009), 815--825. Google Scholar
Digital Library
- Donald A. Norman. 2009. When security gets in the way. ACM SIGCSE Bull. 16, 6 (Nov. 2009), 60--63.Google Scholar
- Gilbert Notoatmodjo. 2007. Exploring the ‘Weakest Link’: A Study of Personal Password Security. Master’s thesis. The University of Auckland, New Zealand.Google Scholar
- Peter Pauper Press. The Personal Internet Address 8 Password Log Book (Organizer). Peter Pauper Press. Google Scholar
Digital Library
- Emilee Rader, Rick Wash, and Brandon Brooks. 2012. Stories as informal lessons about security. In Proceedings of the 8th Symposium on Usable Privacy and Security (SOUPS’12). ACM. Google Scholar
Digital Library
- Carsten Schmitz. Accessed 2015. Limesurvey—The Free and Open Source Survey Software Tool! Retrieved from https://www.limesurvey.org/.Google Scholar
- Bruce Schneier. 2005. Write Down Your Password. Retrieved from http://www.schneier.com/blog/archives/2005/06/write_down_your.html.Google Scholar
- Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle M. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In Proceedings of the 6th Symposium on Usable Privacy and Security. ACM. Google Scholar
Digital Library
- Herbert A. Simon. 1977. The structure of Ill-structured problems. In Models of Discovery. D. Reidel Publishing, Dordrecht, 304--325.Google Scholar
- Michelle Steves, Dana Chisnell, M. Angela Sasse, Kat Krol, Mary Theofanos, and Hannah Wald. 2014. Report: Authentication Diary Study. Technical Report. National Institute of Standards and Technology, Information Technology Laboratory, Gaithersburg, MD.Google Scholar
Cross Ref
- Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: User behaviour in managing passwords. In Proceedings of the 10th Symposium on Usable Privacy and Security (SOUPS’14). USENIX.Google Scholar
Digital Library
- Elizabeth Stobert and Robert Biddle. 2016. Expert password management. In Proceedings of the International Conference on Technology and Practice of Passwords (PASSWORDS’15). Springer, 3--20.Google Scholar
Cross Ref
- Anselm Strauss and Juliet Corbin. 1998. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory (2nd ed.). SAGE Publications, Thousand Oaks, CA.Google Scholar
- San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. 2011. What makes users refuse web single sign-on?: An empirical investigation of OpenID. In Proceedings of the 7th Symposium on Usable Privacy and Security. ACM. Google Scholar
Digital Library
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. “I added ‘!’ at the end to make it secure”: Observing password creation in the lab. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX, 123--136.Google Scholar
- Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2013. Survival of the shortest: A retrospective analysis of influencing factors on password composition. In Proceedings of the 14th International Conference on Human-Computer Interaction. Springer, 460--467.Google Scholar
Cross Ref
- Rick Wash. 2010. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS’10). ACM. Google Scholar
Digital Library
- Rick Wash, Emilee J. Rader, Ruthie Berman, and Zac Wellmer. 2016. Understanding password choices - how frequently entered passwords are re-used across websites. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’16). USENIX.Google Scholar
- Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 162--175. Google Scholar
Digital Library
- S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and Nasir Memon. 2005. PassPoints: Design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63, 1--2 (July 2005), 102--127. Google Scholar
Digital Library
- Moshe Zviran and William J. Haga. 1999. Password security: An empirical study. J. Manage. Inf. Syst. 15, 4 (1999), 161--185. Google Scholar
Digital Library
Index Terms
The Password Life Cycle






Comments