Modeling inertia causatives:validating in the password manager adoption context

Cyber criminals are benefiting from the fact that people do not take the required precautions to protect their devices and communications. It is the equivalent of leaving their home’s front door unlocked and unguarded, something no one would do. Many efforts are made by governments and other bodies to raise awareness, but this often seems to fall on deaf ears. People seem to resist changing their existing cyber security practices: they demonstrate inertia. Here, we propose a model and instrument for investigating the factors that contribute towards this phenomenon

Passwords and the evolution of imperfect authentication

Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939

The light side of passwords: Turning motivation from the extrinsic to the intrinsic research in progress

There are many good and bad aspects to password authentication. They are mostly without cost, securing many accounts and systems, and allowing users access from anywhere in the world. However, passwords can elicit dark side phenomena, including security technostress; with many users feeling negatively towards them, as they struggle to cope with the sheer numbers required in their everyday lives. Much research has attempted to understand users’ interactions with passwords, examining the trade-off between security, memorability, user convenience, and suggesting techniques to manage them better. However, users continue to struggle. Many studies have shown that users are more concerned with goals other than security, such as convenience and memorability. Therefore, we need to offer another reason that will entice users to engage with the password process more securely. In this study, we suggest that engaging with the password process (creating, learning and recalling passwords) well, is similar to memory training. Therefore, we propose that the “light side” of passwords – the positive reason for properly creating and learning strong passwords, and recalling them successfully, will improve users’ memories for passwords and memory functioning in general. Consequently, changing their motivation from an extrinsic goal to an intrinsic goal – improved memory functioning

Revisiting Security Vulnerabilities in Commercial Password Managers

In this work we analyse five popular commercial password managers for security vulnerabilities. Our analysis is twofold. First, we compile a list of previously disclosed vulnerabilities through a comprehensive review of the academic and non-academic sources and test each password manager against all the previously disclosed vulnerabilities. We find a mixed picture of fixed and persisting vulnerabilities. Then we carry out systematic functionality tests on the considered password managers and find four new vulnerabilities. Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result steal the user's password for the targeted service. We implement a proof-of-concept attack to show the feasibility of this vulnerability in a real-life scenario. Finally, we report and reflect on our experience of responsible disclosure of the newly discovered vulnerabilities to the corresponding password manager vendors