Improving Password Security and Usability with Data-Driven Approaches

Blase Ur, CMU

12:30pm Friday, 11 March 2016, ITE325b

Users often must make security and privacy decisions, yet are rarely equipped to do so. In my research, I aim to understand both computer systems and the humans who use them. Armed with this understanding, I design and build tools that help users protect their security and privacy.

In this talk, I will describe how I applied this research approach to password security and usability. As understanding what makes a password good or bad is crucial to this process, I will first discuss our work on metrics for password strength. These metrics commonly involve modeling password cracking, which we found often vastly underestimates passwords’ vulnerability to cracking in the real world. We instead propose combining a series of carefully configured approaches, which we found to conservatively model real-world experts. We used these insights to implement a Password Guessability Service, which is already used by nearly two dozen research groups. I will then discuss our work on another key step to helping users create better passwords: understanding why humans create the passwords they do. I will focus on the impact of password-strength meters and users’ perceptions of password security. By combining better metrics with an understanding of users, I show how we can design tools that guide users toward better passwords.

Blase Ur is a Ph.D. candidate at Carnegie Mellon University’s School of Computer Science, where he is advised by Lorrie Cranor. His research interests lie at the intersection of security, privacy, and human-computer interaction (HCI). In addition to his work on password security, he has studied numerous aspects of online privacy and the Internet of Things (IoT). Previously, he obtained his A.B. in Computer Science from Harvard University. He is the recipient of an NDSEG fellowship, a Fulbright scholarship, a Yahoo Key Scientific Challenges Award, the best paper award at UbiComp 2014, and honorable mentions for best paper at both CHI 2012 and CHI 2016.