Usable Passwords: Classic Edition

Final Results

Usable Passwords, Classic Edition

Advisor: Amy Csizmar Dalal, W/S

Background

Few phrases raise as much dread in the digital world as "Please select a secure password for this site." No doubt you've encountered this prompt and start to panic. Ok, at least 8 letters, one of which has to be a capital letter, plus at least one number and one symbol, but not a punctuation mark, ...

You know you're not supposed to use the same passwords across multiple sites. But how are you going to remember this one? You have like a zillion passwords. It can't hurt to reuse this password just this once, right?

Maybe you should use a password manager. But what if you forget that password? Should that password be easy to remember, or is that asking for trouble? Or maybe biometrics will save us? Except that biometrics can't be used in every situation. (And you have vague memories of a Mythbusters episode where they defeated a biometric scanner several different ways...)

Passwords are a fact of life, and one that's not going anywhere anytime soon. But passwords have a fundamental conflict: they can be secure, or they can be user-friendly. User-friendly passwords, those that are easy to remember, are often not secure. Secure passwords, those that follow best practices, are not at all user-friendly.

It turns out that there has been quite a bit of research into the "user-friendly passwords" space. And in fact, there are canonical papers on what makes a password user friendly and on how to achieve user friendliness. The question is: if there’s been so much research, why are passwords still largely, well, unusable? In particular, have those canonical papers really stood the test of time? These are the questions you’ll explore in this project

The project

In this project you will explore existing approaches to designing and implementing user-friendly passwords. In particular, you will do the following:

Study existing literature on approaches to designing and implementing user-friendly passwords.
Select one (or more!) canonical papers from the literature.
Re-create the approach and experiment(s) described in that paper.
Analyze the results to determine if this paper stands the test of time.

How easily were you able to implement the algorithm / system?
Were you able to replicate the results?
Is this algorithm / system / methodology secure against modern password-cracking tools?

My intent is that the team will select 2-3 canonical papers and work in small groups to implement and test them.

Deliverables

An implementation of the methodology / algorithm / system described in the classic paper you chose.
A re-creation and execution of the experiment(s) used to test the methodology / algorithm / system.
A written summary of how well the paper has stood the test of time.

Recommended experience

Courses that may be useful include Computer Security and Human-Computer Interaction, but neither of these are required for this project.

References/inspiration

We will spend the first couple of weeks exploring the canonical literature, but in the meantime, here are a few papers that give you a taste of the field.

Lorrie Cranor's work on usable and secure passwords
Rick Wash, Emilee Rader, Ruthie Berman, Zac Wellmer. "Understanding Password Choices: How Frequently Entered Passwords Are Re-used Across Websites." In Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), Denver, CO, June 2016.
Sean Segretti et al. "Diversify to Survive: Making Passwords Stronger with Adaptive Policies." In Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), Santa Clara, CA, July 2017.