Cryptography Reference
In-Depth Information
All password management approaches trust the intermediary terminal with the user's
plaintext credentials, i.e., passwords. This is due to the inherent difficulty of authenti-
cating without introducing server-side modifications.
Our discussion above raises several questions that we intend to answer through our
study. These include:
-
How do the three PMs compare in terms of usability? The usability can be measured
with respect to perceived toughness, satisfaction and ease of use.
-
How do the three PMs compare in terms of security and protection of passwords?
This covers giving control of passwords to a program and perceived security.
-
How do the three PMs compare in terms of their perceived necessity and accep-
tance? In other words, would the users be willing to adopt them in practice?
-
How do the three PMs compare in terms of all security and usability measures taken
together?
-
How do the three PMs compare across a diverse set of users categorized based on
background (technical or non-technical)? Also, what is the effect of different users'
background on each PM?
3
Study Preliminaries
Password Manager Implementations:
Our goal is to compare the three PMs - USB
manager (denoted as USB henceforth), phone manager (Phone) and online manager
(Online) - in terms of their usability and security, as perceived by average users. We also
intend to evaluate each PM according to several underlying tasks, including registration,
login from a personal computer, login from a remote computer, change password, and
login with a changed password (these tasks will be explained in Section 4.2). This
implies that each user would need to execute all these tasks to evaluate a PM, which
might lead to a lengthy overall experimentation period per user. This in turn might cause
user fatigue and influence the results of the study. To avoid this, it was paramount that no
more than one PM of each type (USB, Phone and Online) is selected for the study. This
necessitated that only those PM implementations are selected that are representative of
their respective PM category.
As discussed previously, a number of commercial and popular options exist that can
be used in our study. These include (to name a few) LastPass [7] and Mozilla Weave
Sync [8] as Online managers; KeePassMobile for J2ME enabled devices [10] and Open-
Intents Safe for Android [11] as Phone managers; Roboform2Go [6] and HandyPass-
word [14] as USB Managers. Numerous other implementations exist, as listed in an
online survey of PMs [15]. Fortunately, the user actions involved in all PM implemen-
tations of a given category are roughly very similar to one other. In other words, for
example, to login using any of these USB Managers, the user simply needs to connect
her USB drive to the USB port of her computer terminal, and type in her master pass-
word to unlock the password to be recalled. To login using any of the Phone managers,
the user needs to first unlock her phone with a master password and then copy the pass-
word - to be recalled - displayed on the phone's screen onto the keypad of the terminal.
Similarly, in order to login using an Online Manager, the user only needs to type in her
Search WWH ::
Custom Search