Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 24 Oct 2018 13:31:28 +0200
From: Solar Designer <solar@...nwall.com>
To: passwords@...ts.openwall.com
Subject: paper on password reuse notifications

Hi,

I'll publicly bookmark this here:

http://mobsec.rub.de/forschung/veroeffentlichungen/designing-password-reuse-notifications/

 "What was that site doing with my Facebook password?"
 Designing Password-Reuse Notifications

   Maximilian Golla,  Miranda Wei,  Juliette Hainline,  Lydia Filipe,  Markus
   Duermuth, Elissa Redmiles, Blase Ur

   ACM Conference on  Computer and  Communications Security  2018 (CCS  '18).
   Toronto, Canada, October 15-19, 2018

Abstract

   Password reuse  is widespread,  so  a breach  of one  provider's  password
   database threatens accounts on other providers. When companies find stolen
   credentials on the black market and notice potential password reuse,  they
   may require  a password  reset  and send  affected users  a  notification.
   Through two user studies, we  provide insight into such notifications.  In
   Study 1, 180 respondents saw one of six representative notifications  used
   by  companies  in   situations  potentially   involving  password   reuse.
   Respondents answered questions about their reactions and understanding  of
   the situation. Notifications  differed in  the concern  they elicited  and
   intended actions  they  inspired.  Concerningly,  less  than  a  third  of
   respondents reported intentions to change  any passwords. In Study 2,  588
   respondents saw one of 15 variations on a model notification  synthesizing
   results from Study 1. While the variations' impact differed in small ways,
   respondents' intended actions  across all notifications  would leave  them
   vulnerable to future password-reuse attacks. We discuss best practices for
   password-reuse  notifications   and   how   notifications   alone   appear
   insufficient in solving password reuse.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.