Skip to main content
SpringerLink
Log in
Book cover

International Conference on Passwords

PASSWORDS 2015: Technology and Practice of Passwords pp 3–20Cite as

Expert Password Management

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9551))

Abstract

Experts are often asked for advice about password management, but how do they manage their own passwords? We conducted interviews with researchers and practitioners in computer security, asking them about their password management behaviour. We conducted a thematic analysis of our data, and found that experts described a dichotomy of behaviour where they employed more secure behaviour on important accounts, but had similar practices to non-expert users on remaining accounts. Experts’ greater situation awareness allowed them to more easily make informed decisions about security, and expert practices can suggest ways for non-experts to better manage passwords.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)

    Article  Google Scholar 

  2. AgileBits. 1Password Watchtower (2015). https://watchtower.agilebits.com

  3. Asgharpour, F., Liu, D., Camp, L.J.: Mental models of security risks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 367–377. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  4. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, pp. 538–552. IEEE (2012)

    Google Scholar 

  5. Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3(2), 77–101 (2006)

    Article  Google Scholar 

  6. Codenomicon. The Heartbleed Bug, April 2014. http://heartbleed.com

  7. Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Network and Distributed System Security Symposium (NDSS). Internet Society, February 2014

    Google Scholar 

  8. eBay. eBay Inc., To Ask eBay Users To Change Passwords, May 2014. http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords

  9. Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., Herley, C.: Does my password go up to eleven?: the impact of password meters on password selection. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI), pp. 2379–2388. ACM (2013)

    Google Scholar 

  10. Endsley, M.R.: Design and evaluation for situation awareness enhancement. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp. 97–101 (1988)

    Google Scholar 

  11. Endsley, M.R.: Expertise and situational awareness. In: Ericsson, K.A., Charness, N., Feltovich, P.J., Hoffman, R.R. (eds.) The Cambridge Handbook of Expertise and Expert Performance. Cambridge University Press, Cambridge (2006)

    Google Scholar 

  12. Ericsson, K.A.: An introduction to the cambridge handbook of expertise and expert performance. In: The Cambridge Handbook of Expertise and Expert Performance, pp. 3–20. Cambridge University Press, Cambridge (2006)

    Google Scholar 

  13. Fitzpatrick, J.: How to Run a Last Pass Security Audit (and Why It Can’t Wait). http://www.howtogeek.com/176038/how-to-run-a-last-pass-security-audit-and-why-it-cant-wait/

  14. Florencio, D., Herley, C.: A Large-scale study of web password habits. In: International World Wide Web Conference (WWW). ACM, May 2007

    Google Scholar 

  15. Florencio, D., Herley, C., van Oorschot, P.C.: Password portfolios and the finite-effort user: sustainably managing large numbers of accounts. In: Proceedings of the 23rd USENIX Security Symposium. USENIX, August 2014

    Google Scholar 

  16. Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the 2nd Symposium on Usable Privacy and Security (SOUPS). ACM, July 2006

    Google Scholar 

  17. Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23(3), 256–267 (2011)

    Article  Google Scholar 

  18. Hayashi, E., Hong, J.: A diary study of password usage in daily life. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI). ACM, May 2011

    Google Scholar 

  19. Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the Workshop on New Security Paradigms (NSPW). ACM, September 2009

    Google Scholar 

  20. Ion, I., Reeder, R.W., Consolvo, S.: “..No one can hack my mind”: comparing expert and non-expert security practices. In: Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2015

    Google Scholar 

  21. Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere:” user mental models of the internet and implications for privacy and security. In: Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2015

    Google Scholar 

  22. Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)

    Article  Google Scholar 

  23. Norman, D.A.: When security gets in the way. ACM SIGCSE Bull. 16(6), 60 (2009)

    Google Scholar 

  24. Notoatmodjo, G.: Exploring the ‘Weakest Link’: A Study of Personal Password Security. Master’s thesis, The University of Auckland, New Zealand, November 2007

    Google Scholar 

  25. Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.M., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the 6th Symposium on Usable Privacy and Security. ACM, June 2010

    Google Scholar 

  26. Simon, H.A.: The structure of Ill-structured problems. In: Models of Discovery, pp. 304–325. D. Reidel Publishing, Dordrecht (1977)

    Google Scholar 

  27. Stobert, E., Biddle, R.: The password life cycle: user behaviour in managing passwords. In: Proceedings of the 10th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2014

    Google Scholar 

  28. von Zezschwitz, E., De Luca, A., Hussmann, H.: Survival of the shortest: a retrospective analysis of influencing factors on password composition. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013, Part III. LNCS, vol. 8119, pp. 460–467. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  29. Wash, R.: Folk models of home computer security. In: Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS). ACM, July 2010

    Google Scholar 

  30. Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS). ACM, October 2010

    Google Scholar 

  31. Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63(1–2), 102–127 (2005)

    Article  Google Scholar 

  32. Zviran, M., Haga, W.J.: Password security: an empirical study. J. Manage. Inf. Syst. 15(4), 161–185 (1999)

    Article  Google Scholar 

Download references

Acknowledgements

We would especially like to thank all of the computer security experts who lent their time, experience, and insight to our interviews. We also acknowledge support from the Natural Sciences and Engineering Research Council of Canada: Discovery Grant RGPIN 311982-2010.

Author information

Authors and Affiliations

  1. ETH Zürich, Zürich, Switzerland

    Elizabeth Stobert

  2. Carleton University, Ottawa, Canada

    Robert Biddle

Authors
  1. Elizabeth Stobert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robert Biddle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elizabeth Stobert .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Frank Stajano

  2. Norwegian University of Science and Technology, Trondheim, Norway

    Stig F. Mjølsnes

  3. University of Cambridge, Cambridge, UK

    Graeme Jenkinson

  4. God Praksis AS, Fyllingsdalen, Norway

    Per Thorsheim

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Stobert, E., Biddle, R. (2016). Expert Password Management. In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds) Technology and Practice of Passwords. PASSWORDS 2015. Lecture Notes in Computer Science(), vol 9551. Springer, Cham. https://doi.org/10.1007/978-3-319-29938-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-29938-9_1

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-29937-2

  • Online ISBN: 978-3-319-29938-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation