Abstract
Experts are often asked for advice about password management, but how do they manage their own passwords? We conducted interviews with researchers and practitioners in computer security, asking them about their password management behaviour. We conducted a thematic analysis of our data, and found that experts described a dichotomy of behaviour where they employed more secure behaviour on important accounts, but had similar practices to non-expert users on remaining accounts. Experts’ greater situation awareness allowed them to more easily make informed decisions about security, and expert practices can suggest ways for non-experts to better manage passwords.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
AgileBits. 1Password Watchtower (2015). https://watchtower.agilebits.com
Asgharpour, F., Liu, D., Camp, L.J.: Mental models of security risks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 367–377. Springer, Heidelberg (2007)
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, pp. 538–552. IEEE (2012)
Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3(2), 77–101 (2006)
Codenomicon. The Heartbleed Bug, April 2014. http://heartbleed.com
Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Network and Distributed System Security Symposium (NDSS). Internet Society, February 2014
eBay. eBay Inc., To Ask eBay Users To Change Passwords, May 2014. http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords
Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., Herley, C.: Does my password go up to eleven?: the impact of password meters on password selection. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI), pp. 2379–2388. ACM (2013)
Endsley, M.R.: Design and evaluation for situation awareness enhancement. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp. 97–101 (1988)
Endsley, M.R.: Expertise and situational awareness. In: Ericsson, K.A., Charness, N., Feltovich, P.J., Hoffman, R.R. (eds.) The Cambridge Handbook of Expertise and Expert Performance. Cambridge University Press, Cambridge (2006)
Ericsson, K.A.: An introduction to the cambridge handbook of expertise and expert performance. In: The Cambridge Handbook of Expertise and Expert Performance, pp. 3–20. Cambridge University Press, Cambridge (2006)
Fitzpatrick, J.: How to Run a Last Pass Security Audit (and Why It Can’t Wait). http://www.howtogeek.com/176038/how-to-run-a-last-pass-security-audit-and-why-it-cant-wait/
Florencio, D., Herley, C.: A Large-scale study of web password habits. In: International World Wide Web Conference (WWW). ACM, May 2007
Florencio, D., Herley, C., van Oorschot, P.C.: Password portfolios and the finite-effort user: sustainably managing large numbers of accounts. In: Proceedings of the 23rd USENIX Security Symposium. USENIX, August 2014
Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the 2nd Symposium on Usable Privacy and Security (SOUPS). ACM, July 2006
Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23(3), 256–267 (2011)
Hayashi, E., Hong, J.: A diary study of password usage in daily life. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI). ACM, May 2011
Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the Workshop on New Security Paradigms (NSPW). ACM, September 2009
Ion, I., Reeder, R.W., Consolvo, S.: “..No one can hack my mind”: comparing expert and non-expert security practices. In: Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2015
Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere:” user mental models of the internet and implications for privacy and security. In: Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2015
Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)
Norman, D.A.: When security gets in the way. ACM SIGCSE Bull. 16(6), 60 (2009)
Notoatmodjo, G.: Exploring the ‘Weakest Link’: A Study of Personal Password Security. Master’s thesis, The University of Auckland, New Zealand, November 2007
Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.M., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the 6th Symposium on Usable Privacy and Security. ACM, June 2010
Simon, H.A.: The structure of Ill-structured problems. In: Models of Discovery, pp. 304–325. D. Reidel Publishing, Dordrecht (1977)
Stobert, E., Biddle, R.: The password life cycle: user behaviour in managing passwords. In: Proceedings of the 10th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2014
von Zezschwitz, E., De Luca, A., Hussmann, H.: Survival of the shortest: a retrospective analysis of influencing factors on password composition. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013, Part III. LNCS, vol. 8119, pp. 460–467. Springer, Heidelberg (2013)
Wash, R.: Folk models of home computer security. In: Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS). ACM, July 2010
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS). ACM, October 2010
Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63(1–2), 102–127 (2005)
Zviran, M., Haga, W.J.: Password security: an empirical study. J. Manage. Inf. Syst. 15(4), 161–185 (1999)
Acknowledgements
We would especially like to thank all of the computer security experts who lent their time, experience, and insight to our interviews. We also acknowledge support from the Natural Sciences and Engineering Research Council of Canada: Discovery Grant RGPIN 311982-2010.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Stobert, E., Biddle, R. (2016). Expert Password Management. In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds) Technology and Practice of Passwords. PASSWORDS 2015. Lecture Notes in Computer Science(), vol 9551. Springer, Cham. https://doi.org/10.1007/978-3-319-29938-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-29938-9_1
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29937-2
Online ISBN: 978-3-319-29938-9
eBook Packages: Computer ScienceComputer Science (R0)