© 2006 Richard M. Conlan Interface Designs to Help Users Choose Better Passwords (study design) Richard M. Conlan, Peter Tarasewich Northeastern University.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Giving and Receiving Feedback
Welcome to IRBManager! To access IRBManager, type the following address in your web browser:
CVs & Telephone Skills Top Tips to remember …
Is it Research?. Is It Research? 2 Elements –The project involves a systematic investigation –The design (meaning goal, purpose, or intent) of the investigation.
How to Say “No” and Keep a Good Relationship
May 12, 2015 XSEDE New User Tutorials and User Support: Lessons Learned Marcela Madrid.
Presenter: Kay Fenton UNITEC Institute of Technology Auckland, New Zealand.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Agenda Survey service transition and retirement Examining your survey needs Evaluating application features Service providers.
1 Psych 5500/6500 The t Test for a Single Group Mean (Part 5): Outliers Fall, 2008.
Scholarship of Teaching: An Introduction New Fellows Orientation April 17, 2008 SoTL Fellows
Chapter 5 Database Application Security Models
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
August 15 click! 1 Basics Kitsap Regional Library.
1 © 2009 University of Wisconsin-Extension, Cooperative Extension, Program Development and Evaluation Getting started with evaluation.
thinking hats Six of Prepared by Eman A. Al Abdullah ©
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
REDCap Overview Institute for Clinical and Translational Science Heath Davis Fred McClurg Brian Finley.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section 15.2 Identify guidelines.
s By Mollie.
Level 2 IT Users Qualification – Unit 1 Improving Productivity Jordan Girling.
Research Design. Research is based on Scientific Method Propose a hypothesis that is testable Objective observations are collected Results are analyzed.
Web 2.0: Making the Web Work for You - Illustrated Unit C: Collaborating and Sharing Information.
purposes: scientific, business, diploma
Database Application Security Models Database Application Security Models 1.
Ethics IRB and Animal Care. Subjects (participants) can always withdraw from participation Determine Risk Minimal or not -if not then need permission.
Negotiating access, ethics and the problems of ‘inside’ research.
Sampling is the other method of getting data, along with experimentation. It involves looking at a sample from a population with the hope of making inferences.
Jay Summet CS 1 with Robots IPRE Evaluation – Data Collection Overview.
Assumes that events are governed by some lawful order
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
1 MANAGEMENT OF THE ST ScI ELECTRONIC GRANTS MANAGEMENT SYSTEM BY INSTITUTIONAL ACCOUNTING STAFF September, 2000.
Student Preferences For Learning College Algebra in a Web Enhanced Environment Dr. Laura J. Pyzdrowski, Pre-Collegiate Mathematics Coordinator Institute.
AN INTRODUCTION Managing Change in Healthcare IT Implementations Sherrilynne Fuller, Center for Public Health Informatics School of Public Health, University.
Critical Thinking Lesson 8
Welcome to the BAA/Fenway Library I am Kathy Lowe, the library director. Your teacher preparation or experience in other schools may not have given you.
ACIFA Front of Room Welcome!!!!! Discussion New to “Flipping” Where did you hear about it? What 3 things intrigue you the most? Expectations? Have.
College Level Cooperatively Taught Information Literacy and Subject Area Course Background and Assignments.
Writing For Researchers 2006 NSF Minority Faculty Development Workshop Jul 30-Aug 2 Malcolm J. Andrews National Security Fellow, LANL Professor Mechanical.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Cell City. Introduction  This Webquest is designed to aid students in learning the basic parts of the cell. The student will be required to research.
MyHealth Journal: a User-Customizable Diary Software for Health Soufiane Berouel, Undergraduate Student Supervised by Prof. Lily Liang Department of Computer.
Why it matters  Your essay reveals something important about you that your grades and test scores can't—your personality.  It can give admission officers.
COOKIES AND SESSIONS.
How to Register for CITI Online Ethics Training Courses.
DIFFERENTIATION STRATEGIES WELCOME Differentiation Strategies: How to Meet the Instructional Needs of Each Student in Your Classroom DOE# IS Brandman.
St. Mary’s Catholic School, Mayville Mrs. Kaiser, Technology Teacher.
  ONLINE DORMITORY RESERVATION SYSTEM By RAMYA VAKITY KOUSHIK KUMAR SURAGONI MOTHE ADITHYA    GRADUATE CAPSTONE SEMINAR PROJECT    Submitted in partial.
Evaluation Planning Checklist (1 of 2) Planning Checklist Planning is a crucial part of the evaluation process. The following checklist (based on the original.
How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.
Advanced Higher Computing Science
How to Navigate IRB Paperwork.
Password Management Limit login attempts Encrypt your passwords
How to Navigate IRB Paperwork.
Network and Server Statistics using Cacti AfNOG May Hervey Allen
Computing in the Classroom and best practices to improve gender diversity equity: Professional development for adjunct faculty Professor Younge’s Experience.
Human Subjects Research and the IRB Collecting data using Electronic Surveys - Qualtrics Dr. OraLee Branch, Director of the Office of Research Integrity.
Web Systems Development (CSC-215)
Israa Al-Qarout & Zainab Qurie
Kasee Hildenbrand and Darcy Miller
How to Register for CITI Online Ethics Training Courses
I can use a range of words to describe my feelings
How to Navigate IRB Paperwork.
Study Island Student Demo:
How to Navigate IRB Paperwork.
Online Data Collection: Ethics
How to Register for CITI Online Ethics Training Courses
Presentation transcript:

© 2006 Richard M. Conlan Interface Designs to Help Users Choose Better Passwords (study design) Richard M. Conlan, Peter Tarasewich Northeastern University College of Computer & Information Science

© 2006 Richard M. Conlan Study Summary Implemented four password selection applets Each applet offers real-time feedback on password quality based on a continuously updated Password Quality Score (PQS) which it submits to the server along with the new password

© 2006 Richard M. Conlan Study Summary (cont.) Embedded applets into Dropbox-Online.com homework submission system Homework submission system implemented in PHP with MySQL database HTTPS site Be careful with SSL certs – browser support doesnt mean it is supported by Java, etc.

© 2006 Richard M. Conlan Study Summary (cont.) Decided to do a between-user study due to concern about confusion / learning effects Evenly distributed the password selection applets over the user population Forced users to change their passwords at three points in the semester Informed users of the study and got consent at the end of the semester

© 2006 Richard M. Conlan Help How should the Help be worded? Should it be specific to the applet? We decided to use the same Help across accounts, and based it on standard Help messages found on various web sites Might the users confusion at the password applet cause a problem that might be remedied by adequate help?

© 2006 Richard M. Conlan Structural Decisions Students were not informed of the study in advance because we felt that informing them that we were focusing on password quality would affect password choice We chose a classroom rather than a lab setting because in the lab it is hard to know if people are choosing realistic passwords and to get a genuine sense of whether people will remember the chosen passwords in a real-world usage setting

© 2006 Richard M. Conlan What to store? Password Quality Score

© 2006 Richard M. Conlan What to store? Password Quality Score Password

© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key?

© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords?

© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords? How many times did the user forget his/her password?

© 2006 Richard M. Conlan What to store? Password Quality Score Password Did the user press the Help key? How many times did the user change passwords? How many times did the user forget his/her password? How many times did the user fail to login because of a bad password entry?

© 2006 Richard M. Conlan Storing Data Secure method of data storage? How to store reversible password? Considered depersonalized database on a separate computer – but realized that this is easy to brute force Considered encrypting under reversible encryption – but software needs key to encrypt/access data Ended up using MySQLs PASSWORD() hash to store password for login purposes and 4096-bit RSA encryption to store the reversible password

© 2006 Richard M. Conlan Other considerations? Trade-off between study results and security of user accounts? Should we require a minimum PQS? Minimum password length? Concern that applets could lead to worse passwords and have an adverse affect on security? Concern that requiring Java could be a problem? Concern that study database could be compromised to harvest data other than password data?

© 2006 Richard M. Conlan IRB We decided to meet with the IRB personal to describe the purpose of the study and why we needed to not divulge information beforehand. Found approval pretty easy once we had adequately explained the purpose of the study, justified the need for deception, and made it clear we were protecting user data. Note that the above was mostly verbal – once we had thoroughly explained it the paperwork just formalized the above in a rather compressed manner Lesson? Go talk to the IRB people.

© 2006 Richard M. Conlan IRB – Multi-tiered Participation We decided to try a multi-tiered consent form that offered students two levels of participation: –I grant the researchers permission to include my Password Quality Score (PQS) data in the study. –I grant the researchers permission to include all of my password data in the study (including my PQS). This turned out to be an excellent idea. Out of ~75 subjects 39 granted PQS access and less than 20 granted full access. Had we just asked for full access we probably would not have ended up with a useful body of data.

© 2006 Richard M. Conlan Soliciting Student Participation Rather than meeting with each student individually to go over debriefing we gave out consent forms, presented an explanation of the study to the class during a normal classroom period allowing for questions and answers, and then collected them after about ten minutes Only about half the subjects gave any sort of consent… …why? We tried to make sure students did not feel compelled to participate and explicitly stated that they would be offered no extra credit. Perhaps we should have offered an alternative incentive? Or given the students more time to decide? Or?

© 2006 Richard M. Conlan Soliciting YOUR Participation We are planning on doing a larger version of the study this fall involving a diverse student population, drawing users from different universities and programs The intent is to make the Dropbox-Online homework submission system available for other classes, and for the collaborating professors/TAs to get IRB approval and solicit student consent for their respective institutions The hopeful outcome will be enough data to draw strong conclusions on password selection UI design and a research paper for CHI2007

© 2006 Richard M. Conlan Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.