“i added ‘!’ at the end to make it secure” · •mahavishnu orchestra is secure because...
TRANSCRIPT
![Page 1: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/1.jpg)
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor
“I Added ‘!’ at the End to Make It Secure”:Observing Password Creation in the Lab
![Page 2: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/2.jpg)
2
![Page 3: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/3.jpg)
3
![Page 4: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/4.jpg)
4
![Page 5: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/5.jpg)
5
![Page 6: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/6.jpg)
6
![Page 7: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/7.jpg)
7
![Page 8: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/8.jpg)
8
password
![Page 9: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/9.jpg)
9
ilovebillyC$1
![Page 10: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/10.jpg)
10
ilovebillyC$1
![Page 11: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/11.jpg)
11
ilovebillyC$1
![Page 12: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/12.jpg)
12
AfNaHiLoco
![Page 13: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/13.jpg)
13
AfNaHiLoco
![Page 14: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/14.jpg)
Goals
• Understand precisely how people make passwords
In-lab, think-aloud protocol
14
![Page 15: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/15.jpg)
Goals
• Understand precisely how people make passwords
In-lab, think-aloud protocol
• How users assign value to accounts
15
![Page 16: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/16.jpg)
Goals
• Understand precisely how people make passwords
In-lab, think-aloud protocol
• How users assign value to accounts
• Users’ password-creation processes
16
![Page 17: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/17.jpg)
Goals
• Understand precisely how people make passwords
In-lab, think-aloud protocol
• How users assign value to accounts
• Users’ password-creation processes
• “Microdecisions” users think add security
17
![Page 18: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/18.jpg)
Methodology
• 49-participant lab study
18
![Page 19: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/19.jpg)
Methodology
• 49-participant lab study
• Recruited using flyers / Craigslist
19
![Page 20: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/20.jpg)
Methodology
• 49-participant lab study
• Recruited using flyers / Craigslist
• 45 – 60 minutes, compensated $25
20
![Page 21: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/21.jpg)
Methodology
• Think aloud while creating 3 passwords:
21
![Page 22: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/22.jpg)
Methodology
• Think aloud while creating 3 passwords:
22
![Page 23: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/23.jpg)
Methodology
• Think aloud while creating 3 passwords:
23
![Page 24: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/24.jpg)
Methodology
• Think aloud while creating 3 passwords:
24
![Page 25: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/25.jpg)
Methodology
• Follow-up questions to understand why
25
![Page 26: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/26.jpg)
Methodology
• Follow-up questions to understand why
• Questions about general strategies
26
![Page 27: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/27.jpg)
Methodology
• Follow-up questions to understand why
• Questions about general strategies
• Following distraction task, recall password
27
![Page 28: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/28.jpg)
Security Metric: Guessability
• Guessability – how many guesses to crack?
Threat model: large-scale guessing
28
![Page 29: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/29.jpg)
Security Metric: Guessability
• Guessability – how many guesses to crack?
Threat model: large-scale guessing
• 1014 guesses using Hashcat
29
![Page 30: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/30.jpg)
Security Metric: Guessability
• Guessability – how many guesses to crack?
Threat model: large-scale guessing
• 1014 guesses using Hashcat
• User-specific and site-specific attacks
30
![Page 31: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/31.jpg)
Qualitative Analysis
• Based on affinity diagramming
31
![Page 32: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/32.jpg)
Qualitative Analysis
• Based on affinity diagramming
Collaboratively grouped 546 behaviors / strategies
32
![Page 33: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/33.jpg)
Qualitative Analysis
• Based on affinity diagramming
Collaboratively grouped 546 behaviors / strategies
• 25 broad themes
122 distinct behaviors
33
![Page 34: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/34.jpg)
Limitations
• Small-scale, non-representative sample
• Limited ecological validity
Only one use of passwords
Test recall in same session
34
![Page 35: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/35.jpg)
Results Outline
• Overview of participants
• Overview of passwords
• Security levels
• Strategies
35
![Page 36: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/36.jpg)
Participants
• 49 participants
21 male
28 female
36
![Page 37: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/37.jpg)
Participants
• 49 participants
21 male
28 female
• Variety of occupations
24 students
16 employed
9 unemployed/retired
37
![Page 38: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/38.jpg)
Participants
• 49 participants
21 male
28 female
• Variety of occupations
24 students
16 employed
9 unemployed/retired
• Mean age 31 (median 24)
38
![Page 39: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/39.jpg)
Passwords
39
![Page 40: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/40.jpg)
Passwords
• Transformed (Fahl et al., SOUPS 2013)
40
![Page 41: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/41.jpg)
Passwords
• Transformed (Fahl et al., SOUPS 2013)
• 6 passwords trivially guessable
gabriel, Password1!
41
![Page 42: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/42.jpg)
Passwords
• Transformed (Fahl et al., SOUPS 2013)
• 6 passwords trivially guessable
gabriel, Password1!
• Half of passwords guessed
e.g., Tyrone1975, Gandalf*8, Triptrip1963
42
![Page 43: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/43.jpg)
Passwords
• Transformed (Fahl et al., SOUPS 2013)
• 6 passwords trivially guessable
gabriel, Password1!
• Half of passwords guessed
e.g., Tyrone1975, Gandalf*8, Triptrip1963
• Half of passwords secure
e.g., 5cupsoftoys, AfNaHiLoco, 7301Poplarblvd$
43
![Page 44: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/44.jpg)
Security Levels
44
![Page 45: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/45.jpg)
Security Levels
• 21 participants considered sites equal value
45
![Page 46: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/46.jpg)
Security Levels
• 21 participants considered sites equal value
• Struggled matching password to security level
46
![Page 47: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/47.jpg)
Security Levels
• 21 participants considered sites equal value
• Struggled matching password to security level
P6’s high-value passwords both guessed
47
![Page 48: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/48.jpg)
Security Levels
• 21 participants considered sites equal value
• Struggled matching password to security level
P6’s high-value passwords both guessed
• Creating a password “stresses me out…I know I want a really strong password. Thinking through how I want to create that is tough.” (P18)
48
![Page 49: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/49.jpg)
Strategies
49
![Page 50: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/50.jpg)
Base password on site
50
![Page 51: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/51.jpg)
Base password on site
• Insecure banking password
51
+Money369
![Page 52: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/52.jpg)
Base password on site
• Insecure banking password
52
+Money369
![Page 53: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/53.jpg)
Base password on site
• Insecure banking password
53
+Money369
![Page 54: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/54.jpg)
Base password on site
• Secure news password
54
LEFTbrown8!
![Page 55: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/55.jpg)
Base password on site
• Secure news password
55
LEFTbrown8!
![Page 56: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/56.jpg)
Base password on site
• Secure news password
56
LEFTbrown8!
![Page 57: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/57.jpg)
Base password on site
• Secure news password
57
LEFTbrown8!
![Page 58: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/58.jpg)
Knew to avoid dictionary words
58
![Page 59: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/59.jpg)
Knew to avoid dictionary words
• Insecure keyboard patterns
59
1Qazxsw2
![Page 60: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/60.jpg)
Knew to avoid dictionary words
• Secure (believed insecure)
60
junglesalmon711
![Page 61: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/61.jpg)
Knew to avoid dictionary words
• Secure (and believed secure)
61
Rjunglesalmon711@$
![Page 62: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/62.jpg)
Build password around phrase
62
![Page 63: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/63.jpg)
Build password around phrase
• Insecure
63
ilove1sttrust!
![Page 64: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/64.jpg)
Build password around phrase
• Secure
64
AfNaHiLoco
![Page 65: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/65.jpg)
Build password around phrase
• Secure
65
AfNaHiLoco
Afraid of the Native HipstersLoopily Coding
![Page 66: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/66.jpg)
Build password around phrase
• Be the change because “someone wouldn’t think it necessarily applies to me” (P17)
66
![Page 67: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/67.jpg)
Digits and symbols make it secure
• Insecure
67
Tyrone
![Page 68: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/68.jpg)
Digits and symbols make it secure
• Insecure (believed secure)
“Security is required for a bank account” (P37)
68
Tyrone1975
![Page 69: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/69.jpg)
Digits and symbols make it secure
• “I added ‘!’ at the end to make it secure.” (P45)
69
![Page 70: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/70.jpg)
Misunderstanding attackers
70
![Page 71: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/71.jpg)
Misunderstanding attackers
• Mahavishnu Orchestra is secure because “this band name is hard to spell” (P2)
71
![Page 72: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/72.jpg)
Misunderstanding attackers
• Mahavishnu Orchestra is secure because “this band name is hard to spell” (P2)
• Goldie: “hackers cannot guess [it] because I have no pictures of him on my Facebook account.” (P7)
72
![Page 73: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/73.jpg)
Conclusions
• Users had process, yet many misconceptions
73
![Page 74: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/74.jpg)
Conclusions
• Users had process, yet many misconceptions
74
![Page 75: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/75.jpg)
Conclusions
• Users had process, yet many misconceptions
75
![Page 76: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/76.jpg)
Conclusions
• Users had process, yet many misconceptions
76
![Page 77: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/77.jpg)
Future Directions
77
![Page 78: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/78.jpg)
Future Directions
• Help users assign value to accounts
78
![Page 79: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/79.jpg)
Future Directions
• Help users assign value to accounts
• Promote secure creation processes
79
![Page 80: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/80.jpg)
Future Directions
• Help users assign value to accounts
• Promote secure creation processes
• Data-driven tools
80
![Page 81: “I Added ‘!’ at the End to Make It Secure” · •Mahavishnu Orchestra is secure because ^this band name is hard to spell (P2) 71. Misunderstanding attackers](https://reader035.vdocuments.us/reader035/viewer/2022070819/5f19d5c6e1848d4e665fa347/html5/thumbnails/81.jpg)
81
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor
“I Added ‘!’ at the End to Make It Secure”:Observing Password Creation in the Lab
PasswordGuessability
Service