Date: Wed, 24 Oct 2018 13:31:28 +0200 From: Solar Designer <solar@...nwall.com> To: passwords@...ts.openwall.com Subject: paper on password reuse notifications Hi, I'll publicly bookmark this here: http://mobsec.rub.de/forschung/veroeffentlichungen/designing-password-reuse-notifications/ "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Duermuth, Elissa Redmiles, Blase Ur ACM Conference on Computer and Communications Security 2018 (CCS '18). Toronto, Canada, October 15-19, 2018 Abstract Password reuse is widespread, so a breach of one provider's password database threatens accounts on other providers. When companies find stolen credentials on the black market and notice potential password reuse, they may require a password reset and send affected users a notification. Through two user studies, we provide insight into such notifications. In Study 1, 180 respondents saw one of six representative notifications used by companies in situations potentially involving password reuse. Respondents answered questions about their reactions and understanding of the situation. Notifications differed in the concern they elicited and intended actions they inspired. Concerningly, less than a third of respondents reported intentions to change any passwords. In Study 2, 588 respondents saw one of 15 variations on a model notification synthesizing results from Study 1. While the variations' impact differed in small ways, respondents' intended actions across all notifications would leave them vulnerable to future password-reuse attacks. We discuss best practices for password-reuse notifications and how notifications alone appear insufficient in solving password reuse. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.