SaTC: CORE: Small: Identifying and Quantifying Design Principles For Improving Password Manager Usage

SaTC：核心：小型：识别和量化改进密码管理器使用的设计原则

• 批准号: 2226404
• 负责人: Scott Ruoti
• 金额: $ 50万
• 依托单位: University of Tennessee Knoxville
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2025-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2226404&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Identifying; Quantifying

To be safe, people need to select strong passwords that attackers can’t guess. They also need a different password for every one of their accounts. The difficulty of this task leads many people to select weak passwords or reuse passwords. Password managers seek to improve password quality by helping people create, store, and enter passwords, allowing for the creation of stronger and unique passwords. However, prior research has shown that while people like their password managers, they fail to use many of the password manager’s security-critical functionality. For example, many people only store passwords of their own creation, ignoring the password manager’s password generation feature, leaving themselves vulnerable to attack. This project will address this problem by measuring the extent to which different designs can encourage people to use all the security-critical functionality their password manager provides. Not only will this work increase the scientific understanding of how to build password managers and other authentication systems, but it will also offer tangible security and usability benefits to password manager users. These security and usability benefits will positively impact societal welfare and national defense.This project will work to identify design principles to improve password managers’ usability, utility, and utilization in three areas. First, this project will address password generation, making it easier to enter generated passwords on a wide range of devices—for example, tablets, TVs, game consoles, etc. This will be accomplished by surveying people regarding the devices where they enter passwords, measuring those devices’ input characteristics, and designing password generation schemes that consider those characteristics. User studies comparing these prototypes will measure their relative effectiveness. Second, this project will improve password managers’ health check functionality. This will be done by conducting exploratory user studies to understand impediments to using password health checks correctly and frequently, prototyping systems that address those impediments, then measuring the effectiveness of those prototypes in user studies. Third, this project will explore how password managers can better support the symbiotic needs of parents and children. This will be done by interviewing and surveying parents and children to understand their authentication needs and how they currently use password managers, designing and prototyping approaches for addressing those needs, and evaluating those prototypes through user studies. Design principles identified throughout this research will be summarized in research papers and on a public-facing website that synthesizes this project’s results in a manner easily digested by password manager vendors and other researchers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

为了安全起见，人们需要选择攻击者无法猜测的强密码。他们还需要为每个帐户设置不同的密码。这项任务的难度导致许多人选择弱密码或重复使用密码。密码管理器试图通过帮助人们创建、存储和输入密码来提高密码质量，从而允许创建更强大和唯一的密码。然而，先前的研究表明，虽然人们喜欢他们的密码管理器，但他们无法使用密码管理器的许多安全关键功能。例如，许多人只存储自己创建的密码，而忽略了密码管理器的密码生成功能，使自己容易受到攻击。该项目将通过测量不同设计可以鼓励人们使用其密码管理器提供的所有安全关键功能的程度来解决这个问题。这项工作不仅将增加对如何构建密码管理器和其他身份验证系统的科学理解，而且还将为密码管理器用户提供切实的安全性和可用性好处。这些安全性和可用性的好处将积极影响社会福利和国防。本项目将致力于确定设计原则，以提高密码管理器的可用性，实用性和利用三个领域。首先，该项目将解决密码生成问题，使其更容易在各种设备上输入生成的密码-例如，平板电脑，电视，游戏机等。这将通过调查人们输入密码的设备，测量这些设备的输入特性，并设计考虑这些特性的密码生成方案来实现。比较这些原型的用户研究将衡量它们的相对有效性。其次，该项目将改进密码管理器的健康检查功能。这将通过进行探索性用户研究来完成，以了解正确和频繁使用密码健康检查的障碍，解决这些障碍的原型系统，然后在用户研究中测量这些原型的有效性。第三，这个项目将探讨密码管理器如何更好地支持父母和孩子的共生需求。这将通过采访和调查父母和孩子来完成，以了解他们的身份验证需求以及他们目前如何使用密码管理器，设计和原型方法来满足这些需求，并通过用户研究评估这些原型。整个研究过程中确定的设计原则将在研究论文和面向公众的网站上进行总结，该网站以密码管理器供应商和其他研究人员容易理解的方式综合了该项目的结果。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

"If I could do this, I feel anyone could:" The Design and Evaluation of a Secondary Authentication Factor Manager

“如果我能做到这一点，我觉得任何人都可以：”二级认证因素管理器的设计和评估

• 发表时间: 2023
• 期刊: Proceedings of the USENIX Security Symposium
• 作者: Smith, Garrett;Yadav, Tarun;Dutson, Jonathan;Routi, Scott;Seamons, Kent
• 通讯作者: Seamons, Kent