[CSEE Talk] talk: Improving Password Security and Usability with Data-Driven Approaches

Tim Finin finin at cs.umbc.edu
Tue Mar 8 19:41:03 EST 2016 

                           UMBC CSEE Seminar

                    IMPROVING PASSWORD SECURITY AND
                 USABILITY WITH DATA-DRIVEN APPROACHES

                             Blase Ur, CMU
                 12:30pm Friday, 11 March 2016, ITE325b

Users often must make security and privacy decisions, yet are rarely
equipped to do so. In my research, I aim to understand both computer
systems and the humans who use them. Armed with this understanding, I
design and build tools that help users protect their security and
privacy.

In this talk, I will describe how I applied this research approach to
password security and usability. As understanding what makes a
password good or bad is crucial to this process, I will first discuss
our work on metrics for password strength. These metrics commonly
involve modeling password cracking, which we found often vastly
underestimates passwords' vulnerability to cracking in the real
world. We instead propose combining a series of carefully configured
approaches, which we found to conservatively model real-world
experts. We used these insights to implement a Password Guessability
Service, which is already used by nearly two dozen research groups. I
will then discuss our work on another key step to helping users create
better passwords: understanding why humans create the passwords they
do. I will focus on the impact of password-strength meters and users'
perceptions of password security. By combining better metrics with an
understanding of users, I show how we can design tools that guide
users toward better passwords.

Blase Ur (http://blaseur.com/) is a Ph.D. candidate at Carnegie Mellon
University's School of Computer Science, where he is advised by Lorrie
Cranor. His research interests lie at the intersection of security,
privacy, and human-computer interaction (HCI). In addition to his work
on password security, he has studied numerous aspects of online
privacy and the Internet of Things (IoT). Previously, he obtained his
A.B. in Computer Science from Harvard University. He is the recipient
of an NDSEG fellowship, a Fulbright scholarship, a Yahoo Key
Scientific Challenges Award, the best paper award at UbiComp 2014, and
honorable mentions for best paper at both CHI 2012 and CHI 2016.

More information about the CSEE-colloquium-out mailing list