"What was that site doing with my Facebook password?": Designing Password-Reuse Notifications
Date: October 15 2018
Publication: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18)
Page(s): 1549 - 1566
Source 1: https://doi.org/10.1145/3243734.3243767
Source 2: http://www.cs.umd.edu/~eredmiles/pwdreuse.pdf
Source 3: https://mirandawei.com/assets/ccs18.pdf
Abstract or Summary:
Password reuse is widespread, so a breach of one provider's password database threatens accounts on other providers. When companies find stolen credentials on the black market and notice potential password reuse, they may require a password reset and send affected users a notification. Through two user studies, we provide insight into such notifications. In Study 1, 180 respondents saw one of six representative notifications used by companies in situations potentially involving password reuse. Respondents answered questions about their reactions and understanding of the situation. Notifications differed in the concern they elicited and intended actions they inspired. Concerningly, less than a third of respondents reported intentions to change any passwords. In Study 2, 588 respondents saw one of 15 variations on a model notification synthesizing results from Study 1. While the variations' impact differed in small ways, respondents' intended actions across all notifications would leave them vulnerable to future password-reuse attacks. We discuss best practices for password-reuse notifications and how notifications alone appear insufficient in solving password reuse.
PasswordResearch.com Note: Additional author: Blasé Ur Video of presentation: https://www.youtube.com/watch?v=YUyelgsDWZA
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.