Influencing user password choice through peer pressure

Passwords are the main means of authenticating users in most systems today. However, they have been identified as a weak link to the overall security of many systems and much research has been done in order to enhance their security and usability. Although, many schemes have been proposed, users still find it challenging to keep up with password best practices. Our current work is based on recent research indicating that social navigation can be used to guide users to safer, more secure practices regarding computer security and privacy. Our goal is the evaluation of a novel concept for a proactive password checking mechanism that analyzes and presents to users, information about their peer's password strength. Our proposed proactive password feedback mechanism is an effort to guide users in creating better passwords by relating their password strength to that of other system users. We hypothesized that this would enable users to have a better understanding of their password's strength in regards to the system at hand and its users' expectations in terms of account security. We evaluated our mechanism with two between-subjects laboratory studies, embedding our proactive password checking scheme in the Campus Wide Login (CWL) mechanism for changing an account's password. In our study, we compared the password entropy of participants assigned to our proposed mechanism to this of participants assigned to the current CWL implementation (no feedback) as well as to the traditional horizontal bar, employed by many web sites, which provides feedback in the form of absolute password strength characterization. Our results revealed significant effect on improving password strength between our motivator and the control condition as well as between the group using the existing motivator and the control group. Although, we found a difference between the no feedback condition and the two feedback conditions, we did not find any difference between feedback conditions (i.e., relative vs. absolute strength assessment). However, our results show that relating password strength to that of one's peers, while maintaining the standard visual cues, may yield certain advantages over lack of feedback or current practices.Applied Science, Faculty ofElectrical and Computer Engineering, Department ofGraduat

Heuristics for Evaluating IT Security Management Tools

The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, standard usability heuristics are hard to apply as IT security management occurs within a complex and collaborative context that involves diverse stakeholders. We propose a set of ITSM usability heuristics that are based on activity theory, are supported by prior research, and consider the complex and cooperative nature of security management. In a between-subjects study, we compared the employment of the ITSM and Nielsen’s heuristics for evaluation of a commercial identity management system. Participants who used the ITSM set found more problems categorized as severe than those who used Nielsen’s. As evaluators identified different types of problems with the two sets of heuristics, we recommend employing both the ITSM and Nielsen’s heuristics during evaluation of ITSM tools