Cryptography Reference
In-Depth Information
A Comparative Usability Evaluation of Traditional
Password Managers
Ambarish Karole
1
, Nitesh Saxena
1
, and Nicolas Christin
2
1
Polytechnic Institute of New York University
2
Carnegie Mellon University
Abstract.
Proposed in response to the growing number of passwords users have
to memorize, password managers allow to store one's credentials, either on a
third-party server (online password manager), or on a portable device (portable
password manager) such as a mobile phone or a USB key. In this paper, we
present a comparative usability study of three popular password managers: an
online manager (LastPass), a phone manager (KeePassMobile) and a USB man-
ager (Roboform2Go). Our study provides valuable insights on average users' per-
ception of security and usability of the three password management approaches.
We find, contrary to our intuition, that users overall prefer the two portable man-
agers over the online manager, despite the better usability of the latter. Also, sur-
prisingly, our non-technical pool of users shows a strong inclination towards the
phone manager. These findings can generally be credited to the fact that the users
were not comfortable giving control of their passwords to an online entity and
preferred to manage their passwords themselves on their own portable devices.
Our results prompt the need for research on developing user-friendly and secure
phone managers, owing to the ubiquity of mobile phones.
1
Introduction
Typical credentials employed for user authentication fall into following categories of
authentication “factors”: (1) “
Something You Know
,” such as passwords or PINs, (2)
“
Something You Have
,” such as a token or a card, and (3) “
Something You Are
,” such as
biometrics; or combinations thereof. Of these, passwords or PINs are the most widely
deployed, for authentication to remote servers, ATMs and mobile phones.
For over more than a decade, users have been asked to memorize an increasing num-
ber of passwords [1] to authenticate to various online services. While users can usually
easily memorize a couple of passwords, the current explosion of the number of pass-
words each user has to maintain is severely testing the limits of their cognitive abilities
[2]. This leads to “weak” choices in practice. For example, users often tend to choose
short and “low-entropy” passwords [3,4], enabling offline dictionary attacks and brute-
forcing attempts, or they write passwords down or use the same password at multiple
sites [5].
Password Managers (PMs) attempt to solve this conundrum by having a computing
device, rather than the user herself, store (and optionally, generate) passwords, and then
later deliver or recall them to the user whenever access is needed. To this end, a number
of password management schemes have been proposed and are used currently.
Search WWH ::
Custom Search