5

A framework for modeling password management risks and costs, and the beginnings of a good strategy for users to help them manage passwords for their often large portfolios of accounts is outlined in the paper Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts | USENIX Security 2014 (note the full pdf text is already available). It is covered e.g. at

Basically, since it is impossible for users to remember good, unique passwords for dozens or hundreds of different accounts, and since some accounts have low risks to the user if they are compromised (e.g. passwords to log in to a newspaper site to read stories), they explain that "password re-use can be part of a coping strategy". They suggest that people can group together accounts with high value plus low probability of compromise, and those with low value plus high compromise probability, and reuse the same password within each group. Their analysis covers password managers, which shift some of the risks around, to some degree also. On that topic see also How to evaluate a password manager?. I'll add that hybrid strategies can also make sense, e.g. using a password manager for some groups of accounts.

They note the need to understand and explain how users can trade off user effort at remembering passwords with the probability that the password is compromised. This site has gathered some wisdom relative to that: What is your way to create good passwords that can actually be remembered?

They also note the need for future study to understand, model and explain the losses due to compromises of various types of accounts. So my question for the risk-management experts and those adept at explaining things in ways that connect with users is, how can we best help users understand the kinds of risks they face if accounts of various types are compromised? E.g. compromise of a password for an online bitcoin wallet presumably means the unrecoverable loss of all the bitcoins stored there. But compromise of the password for reading articles on a newspaper site may have little or no meaningful impact on the user, and in fact some groups of users try to share accounts and passwords for these sorts of sites with their friends. Other kinds of accounts are traditional banks (with some hope of recovery of stolen funds), social media, email, work-related passwords, web services, wifi access, encryption keys, etc. Sometimes the losses may not be obvious to the users (e.g. risks of identity theft, reputation loss, etc).

nealmcb
  • 20,544
  • 6
  • 69
  • 116

1 Answers1

3

This is an open research question, actually.

It's a bit hard for users to cope with security advice; just like choosing strong passwords takes time, rationalising over password reuse does so as well. You're probably aware of The Compliance Budget and More is Not the Answer since you cite Herley.

So, it's unlikely that a conscious security awareness program is fruitful in the general case because it'd take up more effort, time, cognitive load for users (if they decide to pay attention to it at all) and this is what is already spare. It'd be very difficult to experimentally validate that a password strategy awareness scheme pays off. You'd need to show that the time and effort investment is made voluntarily by users in their real-world settings (something extremely few people in our field acknowledge because it'd make them publish slower :) ), and that the cost associated to it is significantly lesser than the benefit it provides in simplifying password handling for end-users. You'd need to do that for various systems and participant demographics to have a viable end-user strategy.

You could do training on specific populations for which the training time can be acknowledged as part of their primary occupation. For instance, system administrators and executives are high-risk populations and their employers would be wise to explicitly allocate security training and security management time for them.

For the general end-user population, it's probably better to outline the value of assets to be protected when choosing a password rather than insisting on using strong and unique passwords. For instance, email, online payment and bank accounts must retain unique passwords. Other sites should allow more flexible options such as federated ID, one-time passwords (based on email/phone) and weak passwords. Since you're citing current research from some of the topic's world experts, you probably know there's nothing better out there already.

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45