"What was that site doing with my Facebook password?": Designing Password-Reuse Notifications
Authors: Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles

Date: October 15 2018
Publication: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18)
Page(s): 1549 - 1566
Publisher: ACM
Source 1: https://doi.org/10.1145/3243734.3243767
Source 2: http://www.cs.umd.edu/~eredmiles/pwdreuse.pdf
Source 3: https://mirandawei.com/assets/ccs18.pdf

Abstract or Summary:
Password reuse is widespread, so a breach of one provider's password database threatens accounts on other providers. When companies find stolen credentials on the black market and notice potential password reuse, they may require a password reset and send affected users a notification. Through two user studies, we provide insight into such notifications. In Study 1, 180 respondents saw one of six representative notifications used by companies in situations potentially involving password reuse. Respondents answered questions about their reactions and understanding of the situation. Notifications differed in the concern they elicited and intended actions they inspired. Concerningly, less than a third of respondents reported intentions to change any passwords. In Study 2, 588 respondents saw one of 15 variations on a model notification synthesizing results from Study 1. While the variations' impact differed in small ways, respondents' intended actions across all notifications would leave them vulnerable to future password-reuse attacks. We discuss best practices for password-reuse notifications and how notifications alone appear insufficient in solving password reuse.

PasswordResearch.com Note: Additional author: Blasé Ur Video of presentation: https://www.youtube.com/watch?v=YUyelgsDWZA

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019 PasswordResearch.com