skip to main content
research-article

The Password Life Cycle

Published:16 April 2018Publication History
Skip Abstract Section

Abstract

Managing passwords is a difficult task for users, who must create, remember, and keep track of large numbers of passwords. In this work, we investigated users’ coping strategies for password management. Through a series of interviews, we identified a “life cycle” of password use and find that users’ central task in coping with their passwords is rationing their effort to best protect their important accounts. We followed up this work by interviewing experts about their password management practices and found that experts rely on the same kinds of coping strategies as non-experts, but that their increased situation awareness of security allows them to better ration their effort into protecting their accounts. Finally, we conducted a survey study to explore how the life cycle model generalizes to the larger population and find that the life cycle and rationing patterns can be seen in the broader population, but that survey respondents were less likely to characterize security management as a challenging task.

References

  1. Anne Adams and M. Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (Dec. 1999), 40--46. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Anne Adams, M. Angela Sasse, and Peter Lunt. 1997. Making passwords secure and usable. In Proceedings of HCI on People and Computers XII (HCI’97). Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. AgileBits. 2015. 1Password Watchtower. Retrieved from https://watchtower.agilebits.com.Google ScholarGoogle Scholar
  4. Deena Alghamdi, Ivan Flechais, and Marina Jirotka. 2015. Security practices for households bank customers in the kingdom of saudi arabia. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX, 297--308.Google ScholarGoogle Scholar
  5. Amazon.com, Inc. 2015. Amazon Mechanical Turk: Artificial Artificial Intelligence. Retrieved from https://www.mturk.com/mturk/welcome.Google ScholarGoogle Scholar
  6. Farzaneh Asgharpour, Debin Liu, and L Jean Camp. 2007. Mental models of security risks. In Financial Cryptography (FC). Springer, 367--377. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Adam Beautement, M. Angela Sasse, and Mike Wonham. 2009. The compliance budget: Managing security behaviour in organisations. In Proceedings of the 2009 Workshop on New Security Paradigms. ACM, 47--58. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Joseph Bonneau. 2012. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 33rd IEEE Symposium on Security and Privacy. IEEE, 538--552. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qual. Res. Psychol. 3, 2 (Jan. 2006), 77--101.Google ScholarGoogle ScholarCross RefCross Ref
  10. William Cheswick. 2013. Rethinking passwords. Commun. ACM 56, 2 (Feb. 2013), 40--44. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Sonia Chiasson, Paul C. van Oorschot, and Robert Biddle. 2006. A usability study and critique of two password managers. In Proceedings of the 15th USENIX Security Symposium. USENIX, 1--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The tangled web of password reuse. In Network and Distributed System Security Symposium. The Internet Society, San Diego, CA.Google ScholarGoogle ScholarCross RefCross Ref
  13. Paul Dourish, Rebecca E Grinter, Jessica Delgado de la Flor, and Melissa Joseph. 2004. Security in the wild: User strategies for managing security as an everyday, practical problem. Pers. Ubiq. Comput. 8, 6 (Sept. 2004), 391--401. Google ScholarGoogle ScholarCross RefCross Ref
  14. Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does my password go up to eleven?: The impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2379--2388. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Mica R. Endsley. 1988. Design and evaluation for situation awareness enhancement. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting. 97--101.Google ScholarGoogle ScholarCross RefCross Ref
  16. Mica R. Endsley. 2006. Expertise and situational awareness. In The Cambridge Handbook of Expertise and Expert Performance, K. Anders Ericsson, Neil Charness, Paul J. Feltovich, and Robert R. Hoffman (Eds.). Cambridge University Press, Cambridge.Google ScholarGoogle Scholar
  17. K. Anders Ericsson. 2006. An introduction to the cambridge handbook of expertise and expert performance. In The Cambridge Handbook of Expertise and Expert Performance. Cambridge University Press, Cambridge, 3--20.Google ScholarGoogle Scholar
  18. Jason Fitzpatrick. 2013. How to Run a Last Pass Security Audit (and Why It Can’t Wait). Retrieved from http://www.howtogeek.com/176038/how-to-run-a-last-pass-security-audit-and-why-it-cant-wait/.Google ScholarGoogle Scholar
  19. Dinei Florencio and Cormac Herley. 2007. A large-scale study of web password habits. In Proceedings of the International World Wide Web Conference (IW3C2’07). 657--666. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Dinei Florencio, Cormac Herley, and Paul C. van Oorschot. 2014. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In Proceedings of the 23rd USENIX Security Symposium. USENIX, 575--590. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Shirley Gaw and Edward W. Felten. 2006. Password management strategies for online accounts. In Proceedings of the 2nd Symposium on Usable Privacy and Security. ACM, 44--55. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Leo A. Goodman. 1961. Snowball sampling. Ann. Math. Stat. 32, 1 (Mar. 1961), 148--170.Google ScholarGoogle ScholarCross RefCross Ref
  23. Eiji Hayashi and Jason Hong. 2011. A diary study of password usage in daily life. In Proceedings of the International Conference on Human Factors in Computing Systems. ACM, 2627--2630. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Cormac Herley. 2009. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the 2009 Workshop on New Security Paradigms. ACM, 133--144. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Iulia Ion, Robert W. Reeder, and Sunny Consolvo. 2015. “...No one can hack my mind”: Comparing expert and non-expert security practices. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX.Google ScholarGoogle Scholar
  26. Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. “My data just goes everywhere:” User mental models of the internet and implications for privacy and security. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Kenneth J. Knapp, Thomas E. Marshall, R. Kelly Rainer, and F. Nelson Ford. 2006. Information security: Management’s effect on culture and policy. Inf. Manage. Comput. Secur. 14, 1 (Jan. 2006), 24--36.Google ScholarGoogle ScholarCross RefCross Ref
  28. LastPass. 2016. LastPass: Simplify Your Life. Retrieved from http://lastpass.com.Google ScholarGoogle Scholar
  29. Boon-Yuen Ng, Atreyi Kankanhalli, and Yunjie Calvin Xu. 2009. Studying users’ computer security behavior—A health belief perspective. Decis. Supp. Syst. 46 (2009), 815--825. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Donald A. Norman. 2009. When security gets in the way. ACM SIGCSE Bull. 16, 6 (Nov. 2009), 60--63.Google ScholarGoogle Scholar
  31. Gilbert Notoatmodjo. 2007. Exploring the ‘Weakest Link’: A Study of Personal Password Security. Master’s thesis. The University of Auckland, New Zealand.Google ScholarGoogle Scholar
  32. Peter Pauper Press. The Personal Internet Address 8 Password Log Book (Organizer). Peter Pauper Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Emilee Rader, Rick Wash, and Brandon Brooks. 2012. Stories as informal lessons about security. In Proceedings of the 8th Symposium on Usable Privacy and Security (SOUPS’12). ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Carsten Schmitz. Accessed 2015. Limesurvey—The Free and Open Source Survey Software Tool! Retrieved from https://www.limesurvey.org/.Google ScholarGoogle Scholar
  35. Bruce Schneier. 2005. Write Down Your Password. Retrieved from http://www.schneier.com/blog/archives/2005/06/write_down_your.html.Google ScholarGoogle Scholar
  36. Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle M. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In Proceedings of the 6th Symposium on Usable Privacy and Security. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Herbert A. Simon. 1977. The structure of Ill-structured problems. In Models of Discovery. D. Reidel Publishing, Dordrecht, 304--325.Google ScholarGoogle Scholar
  38. Michelle Steves, Dana Chisnell, M. Angela Sasse, Kat Krol, Mary Theofanos, and Hannah Wald. 2014. Report: Authentication Diary Study. Technical Report. National Institute of Standards and Technology, Information Technology Laboratory, Gaithersburg, MD.Google ScholarGoogle ScholarCross RefCross Ref
  39. Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: User behaviour in managing passwords. In Proceedings of the 10th Symposium on Usable Privacy and Security (SOUPS’14). USENIX.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Elizabeth Stobert and Robert Biddle. 2016. Expert password management. In Proceedings of the International Conference on Technology and Practice of Passwords (PASSWORDS’15). Springer, 3--20.Google ScholarGoogle ScholarCross RefCross Ref
  41. Anselm Strauss and Juliet Corbin. 1998. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory (2nd ed.). SAGE Publications, Thousand Oaks, CA.Google ScholarGoogle Scholar
  42. San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. 2011. What makes users refuse web single sign-on?: An empirical investigation of OpenID. In Proceedings of the 7th Symposium on Usable Privacy and Security. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. “I added ‘!’ at the end to make it secure”: Observing password creation in the lab. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX, 123--136.Google ScholarGoogle Scholar
  44. Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2013. Survival of the shortest: A retrospective analysis of influencing factors on password composition. In Proceedings of the 14th International Conference on Human-Computer Interaction. Springer, 460--467.Google ScholarGoogle ScholarCross RefCross Ref
  45. Rick Wash. 2010. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS’10). ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Rick Wash, Emilee J. Rader, Ruthie Berman, and Zac Wellmer. 2016. Understanding password choices - how frequently entered passwords are re-used across websites. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’16). USENIX.Google ScholarGoogle Scholar
  47. Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 162--175. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and Nasir Memon. 2005. PassPoints: Design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63, 1--2 (July 2005), 102--127. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Moshe Zviran and William J. Haga. 1999. Password security: An empirical study. J. Manage. Inf. Syst. 15, 4 (1999), 161--185. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. The Password Life Cycle

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Privacy and Security
      ACM Transactions on Privacy and Security  Volume 21, Issue 3
      August 2018
      157 pages
      ISSN:2471-2566
      EISSN:2471-2574
      DOI:10.1145/3208360
      Issue’s Table of Contents

      Copyright © 2018 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 16 April 2018
      • Accepted: 1 January 2018
      • Revised: 1 October 2017
      • Received: 1 October 2016
      Published in tops Volume 21, Issue 3

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!