A potential drawback of graphical password schemes is that they are more vulnerable to shoulder surfing than conventional alphanumeric text passwords. We present a variation of the Draw-a-Secret scheme originally proposed by Jermyn et al [1] that is more resistant to shoulder surfing through the use of a qualitative mapping between user strokes and the password, and the use of dynamic grids to both obfuscate attributes of the user secret and encourage them to use different surface realizations of the secret. The use of qualitative spatial relations relaxes the tight constraints on the reconstruction of a secret; allowing a range of deviations from the original. We describe QDAS (Qualitative Draw-A-Secret), an initial implementation of this graphical password scheme, and the results of an empirical study in which we examined the memorability of secrets, and their susceptibility to shoulder-surfing attacks, for both Draw-A-Secret and QDAS.
{"title":"Graphical passwords & qualitative spatial relations","authors":"D. Lin, Paul Dunphy, P. Olivier, Jeff Yan","doi":"10.1145/1280680.1280708","DOIUrl":"https://doi.org/10.1145/1280680.1280708","url":null,"abstract":"A potential drawback of graphical password schemes is that they are more vulnerable to shoulder surfing than conventional alphanumeric text passwords. We present a variation of the Draw-a-Secret scheme originally proposed by Jermyn et al [1] that is more resistant to shoulder surfing through the use of a qualitative mapping between user strokes and the password, and the use of dynamic grids to both obfuscate attributes of the user secret and encourage them to use different surface realizations of the secret. The use of qualitative spatial relations relaxes the tight constraints on the reconstruction of a secret; allowing a range of deviations from the original. We describe QDAS (Qualitative Draw-A-Secret), an initial implementation of this graphical password scheme, and the results of an empirical study in which we examined the memorability of secrets, and their susceptibility to shoulder-surfing attacks, for both Draw-A-Secret and QDAS.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130903451","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Shoulder-surfing -- using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information -- is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user's password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input.� With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.
{"title":"Reducing shoulder-surfing by using gaze-based password entry","authors":"Manu Kumar, Tal Garfinkel, D. Boneh, T. Winograd","doi":"10.1145/1280680.1280683","DOIUrl":"https://doi.org/10.1145/1280680.1280683","url":null,"abstract":"Shoulder-surfing -- using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information -- is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user's password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input.\u0000 With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"87 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131307294","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Tor is a popular privacy tool designed to help achieve online anonymity by anonymising web traffic. Employing cognitive walkthrough as the primary method, this paper evaluates four competing methods of deploying Tor clients, and a number of software tools designed to be used in conjunction with Tor: Vidalia, Privoxy, Torbutton, and FoxyProxy. It also considers the standalone anonymous browser TorPark. Our results show that none of the deployment options are fully satisfactory from a usability perspective, but we offer suggestions on how to incorporate the best aspects of each tool. As a framework for our usability evaluation, we also provide a set of guidelines for Tor usability compiled and adapted from existing work on usable security and human-computer interaction.
{"title":"Usability of anonymous web browsing: an examination of Tor interfaces and deployability","authors":"Jeremy Clark, P. V. Oorschot, C. Adams","doi":"10.1145/1280680.1280687","DOIUrl":"https://doi.org/10.1145/1280680.1280687","url":null,"abstract":"Tor is a popular privacy tool designed to help achieve online anonymity by anonymising web traffic. Employing cognitive walkthrough as the primary method, this paper evaluates four competing methods of deploying Tor clients, and a number of software tools designed to be used in conjunction with Tor: Vidalia, Privoxy, Torbutton, and FoxyProxy. It also considers the standalone anonymous browser TorPark. Our results show that none of the deployment options are fully satisfactory from a usability perspective, but we offer suggestions on how to incorporate the best aspects of each tool. As a framework for our usability evaluation, we also provide a set of guidelines for Tor usability compiled and adapted from existing work on usable security and human-computer interaction.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131887182","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The polularity of social networking websites such as Facebook and the subsequent levels and depth of online disclosures have raised several concerns for user privacy. Previous research into these sites has indicated the importance of disclosures between users as well as an under-utilization of extensive privacy options. This study qualitatively examines college students' disclosure and privacy behaviors and attitudes on Facebook.com. Results support current research into social networking and privacy and provide user-generated explanations for observed disclosure and privacy trends. Implications for future research into privacy software are discussed.
{"title":"Examining privacy and disclosure in a social networking community","authors":"K. Strater, H. Lipford","doi":"10.1145/1280680.1280706","DOIUrl":"https://doi.org/10.1145/1280680.1280706","url":null,"abstract":"The polularity of social networking websites such as Facebook and the subsequent levels and depth of online disclosures have raised several concerns for user privacy. Previous research into these sites has indicated the importance of disclosures between users as well as an under-utilization of extensive privacy options. This study qualitatively examines college students' disclosure and privacy behaviors and attitudes on Facebook.com. Results support current research into social networking and privacy and provide user-generated explanations for observed disclosure and privacy trends. Implications for future research into privacy software are discussed.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132882668","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Bethencourt, W. Y. Low, Isaac Simmons, Matthew M. Williamson
In many applications, hosts in a peer to peer network may wish to maintain their anonymity or the privacy of their queries. In some applications, an even stronger guarantee is desirable: hosts would like to prevent others from determining whether they participate in the network at all. Darknets, or friend-to-friend networks, are one approach to preventing the discovery of hosts within a peer to peer network [1]. In such a network, hosts only form Internet connections with and directly communicate with a small set of hosts whose operators are known and trusted a priori. That is, each user only connects to her friends, trusting that her friends will not reveal her identity or existence in the network.
{"title":"Establishing darknet connections: an evaluation of usability and security","authors":"J. Bethencourt, W. Y. Low, Isaac Simmons, Matthew M. Williamson","doi":"10.1145/1280680.1280700","DOIUrl":"https://doi.org/10.1145/1280680.1280700","url":null,"abstract":"In many applications, hosts in a peer to peer network may wish to maintain their anonymity or the privacy of their queries. In some applications, an even stronger guarantee is desirable: hosts would like to prevent others from determining whether they participate in the network at all. Darknets, or friend-to-friend networks, are one approach to preventing the discovery of hosts within a peer to peer network [1]. In such a network, hosts only form Internet connections with and directly communicate with a small set of hosts whose operators are known and trusted a priori. That is, each user only connects to her friends, trusting that her friends will not reveal her identity or existence in the network.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116087010","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Steve Sheng, Bryant Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, Jason I. Hong, Elizabeth Ferrall-Nunge
In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.
{"title":"Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish","authors":"Steve Sheng, Bryant Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, Jason I. Hong, Elizabeth Ferrall-Nunge","doi":"10.1145/1280680.1280692","DOIUrl":"https://doi.org/10.1145/1280680.1280692","url":null,"abstract":"In this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"44 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127610332","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sara Gatmir-Motahari, C. Manikopoulos, S. R. Hiltz, Quentin Jones
Review of the literature suggests seven fundamental privacy challenges in the domain of ubiquitous social computing. To date, most research in this area has focused on the features associated with the revelation of personal location data. However, a more holistic view of privacy concerns that acknowledges these seven risks is required if we are to deploy privacy respecting next generation social computing applications. We highlight the threat associated with user inferences made possible by knowledge of the context and use of social ties. We also describe work in progress to both understand user perceptions and build a privacy sensitive urban enclave social computing system.
{"title":"Seven privacy worries in ubiquitous social computing","authors":"Sara Gatmir-Motahari, C. Manikopoulos, S. R. Hiltz, Quentin Jones","doi":"10.1145/1280680.1280713","DOIUrl":"https://doi.org/10.1145/1280680.1280713","url":null,"abstract":"Review of the literature suggests seven fundamental privacy challenges in the domain of ubiquitous social computing. To date, most research in this area has focused on the features associated with the revelation of personal location data. However, a more holistic view of privacy concerns that acknowledges these seven risks is required if we are to deploy privacy respecting next generation social computing applications. We highlight the threat associated with user inferences made possible by knowledge of the context and use of social ties. We also describe work in progress to both understand user perceptions and build a privacy sensitive urban enclave social computing system.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122983068","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Persistence and cost are the two factors that have motivated several studies about better practices for dealing with security incidents [5]. However, there is not much literature about IT professionals who have to deal with security incidents, in terms of which tasks they actually perform and which resources they need to handle the complex scenarios given by real incidents [6]. This lack of research makes it difficult to evaluate and improve the support that IT security professionals need to respond efficiently to security incidents.
{"title":"Detecting, analyzing and responding to security incidents: a qualitative analysis","authors":"R. Werlinger, David Botta, K. Beznosov","doi":"10.1145/1280680.1280702","DOIUrl":"https://doi.org/10.1145/1280680.1280702","url":null,"abstract":"Persistence and cost are the two factors that have motivated several studies about better practices for dealing with security incidents [5]. However, there is not much literature about IT professionals who have to deal with security incidents, in terms of which tasks they actually perform and which resources they need to handle the complex scenarios given by real incidents [6]. This lack of research makes it difficult to evaluate and improve the support that IT security professionals need to respond efficiently to security incidents.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"82 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126279847","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Healthcare providers and their IT staff, working in an effort to balance appropriate accessibility with stricter security mandates, are considering the use of a single network sign-on approach for authentication and password management. There is an inherent tension between an authentication mechanism's security strength and the privacy implications of using that authentication technology. This is particularly true with single sign-on authentication. While single sign-on does facilitate authentication, our on-going field work in a regional hospital reveals several unanticipated privacy implications.
{"title":"Privacy implications for single sign-on authentication in a hospital environment","authors":"Rosa R. Heckle, W. Lutters","doi":"10.1145/1280680.1280714","DOIUrl":"https://doi.org/10.1145/1280680.1280714","url":null,"abstract":"Healthcare providers and their IT staff, working in an effort to balance appropriate accessibility with stricter security mandates, are considering the use of a single network sign-on approach for authentication and password management. There is an inherent tension between an authentication mechanism's security strength and the privacy implications of using that authentication technology. This is particularly true with single sign-on authentication. While single sign-on does facilitate authentication, our on-going field work in a regional hospital reveals several unanticipated privacy implications.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126740543","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
David Botta, R. Werlinger, André Gagné, K. Beznosov, Lee Iverson, S. Fels, Brian D. Fisher
We report preliminary results of our ongoing field study of IT professionals who are involved in security management. We interviewed a dozen practitioners from five organizations to understand their workplace and tools. We analyzed the interviews using a variation of Grounded Theory and predesigned themes. Our results suggest that the job of IT security management is distributed across multiple employees, often affiliated with different organizational units or groups within a unit and responsible for different aspects of it. The workplace of our participants can be characterized by their responsibilities, goals, tasks, and skills. Three skills stand out as significant in the IT security management workplace: inferential analysis, pattern recognition, and bricolage.
{"title":"Towards understanding IT security professionals and their tools","authors":"David Botta, R. Werlinger, André Gagné, K. Beznosov, Lee Iverson, S. Fels, Brian D. Fisher","doi":"10.1145/1280680.1280693","DOIUrl":"https://doi.org/10.1145/1280680.1280693","url":null,"abstract":"We report preliminary results of our ongoing field study of IT professionals who are involved in security management. We interviewed a dozen practitioners from five organizations to understand their workplace and tools. We analyzed the interviews using a variation of Grounded Theory and predesigned themes. Our results suggest that the job of IT security management is distributed across multiple employees, often affiliated with different organizational units or groups within a unit and responsible for different aspects of it. The workplace of our participants can be characterized by their responsibilities, goals, tasks, and skills. Three skills stand out as significant in the IT security management workplace: inferential analysis, pattern recognition, and bricolage.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121395949","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: