2023–24 Projects:
Advisor: Amy Csizmar Dalal, F/W
Few phrases raise as much dread in the digital world as "Please select a secure password for this site." No doubt you've encountered this prompt and start to panic. Ok, at least 8 letters, one of which has to be a capital letter, plus at least one number and one symbol, but not a punctuation mark, ...
You know you're not supposed to use the same passwords across multiple sites. But how are you going to remember this one? You have like a zillion passwords. It can't hurt to reuse this password just this once, right?
Maybe you should use a password manager. But what if you forget that password? Should that password be easy to remember, or is that asking for trouble?
Or maybe biometrics will save us? Except that biometrics can't be used in every situation. (And you have vague memories of a Mythbusters episode where they defeated a biometric scanner several different ways...)
Passwords are a fact of life, and one that's not going anywhere anytime soon. But passwords have a fundamental conflict: they can be secure, or they can be user-friendly. User-friendly passwords, those that are easy to remember, are often not secure. Secure passwords, those that follow best practices, are not at all user-friendly.
It turns out that there has been quite a bit of research into the "user-friendly passwords" space. This project will give you the opportunity to explore that space, and to realize why password systems have not gotten any more usable despite all of this research.
In this project you will explore existing approaches to designing and implementing user-friendly passwords. In particular, you will do the following:
Study existing literature on approaches to designing and implementing user-friendly passwords.
Identify several approaches from the literature.
Implement these approaches, and perform your own analysis on how well they work.
Analyze how secure the resulting password is against password-cracking, both mathematically and using password cracking tools.
Execute usability studies using Real Live Participants
My intent is that you'll each explore a different approach, or possibly do so in pairs, so that the team ends up implementing and evaluating 3-6 different approaches.
Courses that may be useful include Computer Security and Human-Computer Interaction, but neither of these are required for this project.
Lorrie Cranor's work on usable and secure passwords
Rick Wash, Emilee Rader, Ruthie Berman, Zac Wellmer. "Understanding Password Choices: How Frequently Entered Passwords Are Re-used Across Websites." In Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), Denver, CO, June 2016.
Sean Segretti et al. "Diversify to Survive: Making Passwords Stronger with Adaptive Policies." In Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), Santa Clara, CA, July 2017.
TBD