Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
The password thicket:technical and market failures in human
authentication on the web
Joseph Bonneau Soren Preibusch{jcb82,sdp36}@cl.cam.ac.uk
Computer Laboratory
WEIS 2010The Ninth Workshop on the Economics of Information Security
Boston, MA, USAJune 7, 2010
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 1 / 28
Password authentication is losing viability
Twitter hackJuly 2009
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28
Password authentication is losing viability
RockYou SQL injection hackJanuary 2010
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28
Password authentication is losing viability
Zuckerberg e-mail hacking2005
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28
Password authentication is losing viability
Twitter mass resetFebruary 2010
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 2 / 28
A thicket 30 years in the making
We’ve conducted experiments to try to determine typicalusers’ habits in the choice of passwords . . . The results weredisappointing, except to the bad guy.
—Morris and Thompson, 1979
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 3 / 28
Conventional wisdom is gloomy
1 Users can’t managere-useweak passwordspost-it notessharing
2 Free alternatives hardgraphicalcognitive
3 2-factor too expensivehardware tokensclient certssmartphone
4 Single sign-on limited
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28
Conventional wisdom is gloomy
1 Users can’t managere-useweak passwordspost-it notessharing
2 Free alternatives hardgraphicalcognitive
3 2-factor too expensivehardware tokensclient certssmartphone
4 Single sign-on limitedPassfaces
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28
Conventional wisdom is gloomy
1 Users can’t managere-useweak passwordspost-it notessharing
2 Free alternatives hardgraphicalcognitive
3 2-factor too expensivehardware tokensclient certssmartphone
4 Single sign-on limited Cronto
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28
Conventional wisdom is gloomy
1 Users can’t managere-useweak passwordspost-it notessharing
2 Free alternatives hardgraphicalcognitive
3 2-factor too expensivehardware tokensclient certssmartphone
4 Single sign-on limited
OpenID/OAuth stack
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 4 / 28
Password collection remains ubiquitous
8 Preibusch, Bonneau
0%
20%
40%
60%
80%
100%
0 100 200 300 400 500 600 700 800 900
prevention of password sharing amongst top US sites
sites collecting passwords
sites blocking password sharing
Figure 1. Proportion of sites collecting passwords and amongst these of sites blocking passwordsharing. Ratios given for top k US sites with k up to 900. Bumps are artefacts of the increasingwindow size for the arithmetic mean.
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 5 / 28
Supply side of the market remains poorly understood
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 6 / 28
Coarse classification of password deployment cases
Identity
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28
Coarse classification of password deployment cases
E-commerce
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28
Coarse classification of password deployment cases
Content
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 7 / 28
Random study sample designed for depth, breadth
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 8 / 28
Site classification allows for feature overlap
Feature I E C Tot.
News displayed 15 0 49 64Products for sale 4 50 1 55Payment details stored 7 30 2 39Social networking 28 1 2 31Premium accounts available 17 3 8 28Email accounts provided 17 0 2 19Discussion forums 16 1 2 19
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 9 / 28
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing
IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing
IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing
IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
Complete evaluation of visible password security
1 enrolmentp. advicedata collected
2 logindata transmission
3 updatere-authenticationp. requirements
4 recoverybackup auth.replacement
5 attacksuser probingp. guessing
IKEA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 10 / 28
Semi-automated human-in-the-loop evaluation
Mozilla Firefox v 3.5.8 with:
Autofill Forms 0.9.5.2CipherFox 2.3.0Cookie Monster 0.98.0DOM Inspector 2.0.4Greasemonkey0.8.20100211.5Screengrab 0.96.2Tamper Data 11.0.1
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 11 / 28
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 11 / 28
User experience varies considerably
WSJ 1996 WSJ 2010
Bare-bones password entry is universalAdvice rare and inconsistent
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
User experience varies considerably
Advice I E C Tot.
Use digits 9 6 3 18Use symbols 9 2 3 14Graphical strength indicator 9 0 2 11Difficult to guess 5 2 2 9Not a dictionary word 6 0 2 8Change regularly 4 0 1 5
Any 18 8 7 33
Bare-bones password entry is universalAdvice rare and inconsistent
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
TLS deployment sparse and inconsistent
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
TLS deployment sparse and inconsistent
TLS Deployment I E C Tot.
Full 10 39 10 59Full/POST 3 1 1 5Inconsistent 14 6 5 25None 23 4 34 61
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
No standard for password length
1 2 3 4 5 6 7 8Password length n
0.0
0.2
0.4
0.6
0.8
1.0Pr
opor
tion
ofsi
tes
acce
ptin
gpa
ssw
ords
ofle
ngth
nIdentity sitesE-commerce sitesContent sitesPayment sitesPremium sitesAll sites
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
No standard for password recovery
Dear Joseph Bonneau,
You requested us to send you your EasyChair logininformation. Please use the following data to log in toEasyChair:
User name: jbonneauPassword: –––––
Best regards,EasyChair Messenger.
EasyChair (not surveyed)
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
No standard for password recovery
Hello, jbonneau:
Thanks for using your Ticketmaster account.
This is a temporary password: ––-Use this temporary password to login and reset yourpassword again.
We hope you enjoy using your account!
Thanks,The Ticketmaster Team
Ticketmaster
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
No standard for password recovery
Hi jbonneau,
Someone requested that your Last.fm password be reset.If this wasn’t you, there’s nothing to worry about -simply ignore this email and nothing will change.
If you DID ask to reset the password on your Last.fmaccount, just click here to make it happen:http://www.last.fm/?id=<userid>&key=<authentication-token>
Best Regards,The Last.fm Team
Last.fm
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
No standard for password recovery
Recovery Mechanism I E C Tot.
Email only 32 42 46 120Email plus personal knowledge 11 4 3 18Personal knowledge only 5 2 1 8None available 2 2 0 4
Email contents
Original password (cleartext) 5 14 17 36Temporary password 11 15 12 38Reset link 29 18 20 67
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 15 / 28
Password guessing rarely prevented
Truthdig
TimeoutLockout/forced resetCAPTCHA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 15 / 28
Password guessing rarely prevented
Cafe Press
TimeoutLockout/forced resetCAPTCHA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
Password guessing rarely prevented
Wikipedia
TimeoutLockout/forced resetCAPTCHA
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
Password guessing rarely prevented
countermeasure I E C Tot.
CAPTCHA 11 2 1 14timeout 2 1 2 5reset 1 3 1 5none 37 43 46 126
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
Password guessing rarely prevented
limit I E C Tot.
3 3 0 0 34 1 1 0 25 3 2 4 96 2 2 0 47 1 0 0 1
10 2 0 0 215 1 0 0 120 0 1 0 125 1 0 0 1
> 100 37 43 46 126
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
User probing prevention rarely complete
EnrolmentLoginRecovery
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
User probing prevention rarely complete
Ask
EnrolmentLoginRecovery
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
User probing prevention rarely complete
Zappos!
EnrolmentLoginRecovery
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 12 / 28
User probing prevention rarely complete
interface I E C Tot.
enrolment 4 1 1 6login 43 41 38 132reset 11 7 2 20
all 1 1 0 2
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 13 / 28
10-dimensional password security policies
feature cardinality
Enrolment email contents 8Password advice 16Minimum password length 8Password requirements 16Federated login support 8Password update 8Password recovery mechanism 8Brute force restrictions 4User probing restricted 12TLS deployment 4
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 14 / 28
Most sites re-inventing the wheel
Uniqueness radius % of sites
0 100.01 90.62 56.03 24.04 7.35 1.36 0.0
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 15 / 28
Security-conscious sites are pioneers
0 1 2 3 4 5 6 7 8 9 10
No TLS, no password requirements, cleartext passwords emailed, no guessing or user probing restrictions, email addresses verified
No TLS, no password requirements or advice, emailed temp. passwords for reset, no password advice, no guessing or user probing restrictions, email addresses verified
TLS deployed, 6 char. min. password, emailed reset links, no password advice, no guessing or user probing restrictions, email addresses not verified
No TLS, 6 char. min. password, personal knowledge questions for reset, no password advice, no guessing or user probing restrictions, email addresses verified
TLS deployed, 6 char. min. password, emailed reset links, no password advice, guessing restrictions in place, email addresses verified
Sac. Bee
philly.com
Nashv. Scene
Victoria’s S. $
Macy’s $
eBooks
Huff. Post
USA Today
Ask Jeeves
TalkBizNow
EmailAccount Topeka C.-J.PhotoBucket $
Mail2WorldCanada.com
Mail.com StumbleUpon
Football Fan.
Indian Express
Fertility Fr.
CD Wow
Milwaukee J. S.
Florida-Times U.
The Pirate Bay
SoftHome
The Guardian
TCPalm
SF Chronicle
LiveMocha
Last.fm
The Drum
NY Times
Forbes
Truthdig
The Tennessean
The Courier-J.
PhillyBurbs
Lincoln J. S.
AOL Children’s Place $Xanga ESPN
Ticket Web $ TicketMaster $
Gap $ Barnes & Noble $ IMDB
Art Beads
Sus. Bus.
Seattle Weekly
New York Post
Ft. Worth S.-T.
Spiegel $
Shoplet
Blick
Weather Und.
Fin. Times $
Dallas M. N.
CBS Sports
Bodybuilding $
3Dup
Two Peas in a B.
Weather Channel
Post-Tribune
Orlando Sent.
Miami.com
LA Times
Houston Chron.
Chicago Trib.
Wasabi
Sonico
hi5
Gawab
Rand McNally
Oriental Trad.
Hermes
Frederick’s $
Anthropologie $
The Economist
SJ Mercury News
CNN
CNET
Bill O’Reilly
ResearchGate
aNobii
Sierra T. P. $
Lucky Vitamin
efollet.com
Eddie Bauer
Costco $
A. & Fitch
Times Online
Press-Telegram
Bloomberg
Swiss Mail
Plaxo
Zappos! $
REI $
Overstock $
Home Depot $
DVD Empire $
Build-A-Bear W.
Best Buy $
Bath & Body W.
Reuters $
Walmart $
Things Rem.
Target $
ShopBop $
Sephora $
Sears $
NewEgg $
Horchow $
Amazon $
ZZ Network TigerDirect $ rediffTimes of India
On The Snow
Topix Ass. Cont. Twitter
W. S. JournalLinkedIn
DiggCraigslistDeviant Art $
Hushmail
Fairfax Dig.
Cafe Press $
MS Live
Wordpress Wash. Post
Yahoo!
Ebay $
Mixx Wikipedia
LiveJournal $
CNBC
Facebook $
Gamespot
AliBaba $
Google $
MySpace
IKEA
Godmail
JCPenney $
Buy.com $
The Golf World
Legend
Identity site
E-commerce site
Content site
Payment $
Cluster of sites
score
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 16 / 28
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 16 / 28
10-point aggregate password score used for analysis
feature scoring
enrolmentPassword selection advice given +1 ptMinimum password length required +1 ptDictionary words prohibited +1 ptNumbers or symbols required +1 ptUser list protected from probing +1 ptCleartext password sent in email after enrolment −1 pt
loginPassword hashed in-browser before POST +1 ptLimits placed on password guessing +1 ptUser list protected from probing +1 ptFederated identity login accepted +1 pt
password updatePassword re-entry required to authorise update +1 ptNotification email sent after password reset +1 pt
password recoveryPassword update required after recovery +1 ptCleartext password sent in email upon request −1 ptUser list protected from probing +1 pt
encryptionFull TLS for all password submission +2 ptsPOST only TLS for password submission +1 pt
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 17 / 28
More popular sites do better
0
10
1E-2 1E-1 1E+0 1E+1 1E+2 1E+3 1E+4 1E+5
pas
swo
rd s
core
page views per million
E-commerce News/Customization User interaction
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 18 / 28
Popular, growing, competent sites are more secure
Pas
swor
dsc
ore
>m
edia
n
TLS
depl
oyed
corr
ectly
Gue
ssin
gat
tack
sre
stric
ted
Min
imum
pass
wor
dle
ngth
enfo
rced
Dic
tiona
ryw
ords
proh
ibite
d
Cle
arte
xtpa
ssw
ords
mai
led
Not
ifica
tion
ofpa
ssw
ord
rese
t
Em
ailv
erifi
edon
enro
lmen
t
CA
PTC
HA
requ
ired
onen
rolm
ent
Positive 3-mo. traffic change �� + ��� � + +Years online > 10 �� �� + � �Load time < med. � � � � − � ���
Traffic Rank > 25th %ile ��� � + + �� +Traffic Rank > med. ��� �� + ��� � � + +
Traffic Rank > 75th %ile ��� ��� � ��� � + ��� ��
Industry Traffic Rank > 25th %ile ��� + + � � +Industry Traffic Rank > med. ��� + ��� ��� ��� ��Industry Traffic Rank > 75th %ile ��� � �� � �� − �� +
Page Views > 25th %ile ��� �� ��Page Views > med. ��� �� + ��� � � + +
Page Views > 75th %ile ��� ��� + ��� �� � �� ���
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 19 / 28
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 19 / 28
Content sites provide the least security
0 2 4 6 8 10Password score n
0.0
0.2
0.4
0.6
0.8
1.0Pr
opor
tion
ofsi
tes
rece
ivin
ga
scor
e≥
nIdentity sitesE-commerce sitesContent sitesPayment sitesPremium sitesAll sites
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 20 / 28
Payment-storing sites do it best
Pas
swor
dsc
ore
>m
edia
n
TLS
depl
oyed
corr
ectly
Gue
ssin
gat
tack
sre
stric
ted
Min
imum
pass
wor
dle
ngth
enfo
rced
Dic
tiona
ryw
ords
proh
ibite
d
Dig
its
Sym
bols
Cle
arte
xtpa
ssw
ords
mai
led
Not
ifica
tion
ofpa
ssw
ord
rese
t
Em
ailv
erifi
edon
enro
lmen
t
CA
PTC
HA
requ
ired
onen
rolm
ent
Identity segment + �� � ��� + � �� � ���E-commerce segment � ��� − − � ��� ���Content segment ��� ��� � � − � �� ��� −
Premium accounts offfered + − ��Payment details stored ��� ��� + + � ��� ��� −
E-mail provided + + �� − − ���Social networking features ��� �� − � � ��� ��
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 21 / 28
Security policies vary far more than requirements
0 1 2 3 4 5 6 7 8 9 10
No TLS, no password requirements, cleartext passwords emailed, no guessing or user probing restrictions, email addresses verified
No TLS, no password requirements or advice, emailed temp. passwords for reset, no password advice, no guessing or user probing restrictions, email addresses verified
TLS deployed, 6 char. min. password, emailed reset links, no password advice, no guessing or user probing restrictions, email addresses not verified
No TLS, 6 char. min. password, personal knowledge questions for reset, no password advice, no guessing or user probing restrictions, email addresses verified
TLS deployed, 6 char. min. password, emailed reset links, no password advice, guessing restrictions in place, email addresses verified
Sac. Bee
philly.com
Nashv. Scene
Victoria’s S. $
Macy’s $
eBooks
Huff. Post
USA Today
Ask Jeeves
TalkBizNow
EmailAccount Topeka C.-J.PhotoBucket $
Mail2WorldCanada.com
Mail.com StumbleUpon
Football Fan.
Indian Express
Fertility Fr.
CD Wow
Milwaukee J. S.
Florida-Times U.
The Pirate Bay
SoftHome
The Guardian
TCPalm
SF Chronicle
LiveMocha
Last.fm
The Drum
NY Times
Forbes
Truthdig
The Tennessean
The Courier-J.
PhillyBurbs
Lincoln J. S.
AOL Children’s Place $Xanga ESPN
Ticket Web $ TicketMaster $
Gap $ Barnes & Noble $ IMDB
Art Beads
Sus. Bus.
Seattle Weekly
New York Post
Ft. Worth S.-T.
Spiegel $
Shoplet
Blick
Weather Und.
Fin. Times $
Dallas M. N.
CBS Sports
Bodybuilding $
3Dup
Two Peas in a B.
Weather Channel
Post-Tribune
Orlando Sent.
Miami.com
LA Times
Houston Chron.
Chicago Trib.
Wasabi
Sonico
hi5
Gawab
Rand McNally
Oriental Trad.
Hermes
Frederick’s $
Anthropologie $
The Economist
SJ Mercury News
CNN
CNET
Bill O’Reilly
ResearchGate
aNobii
Sierra T. P. $
Lucky Vitamin
efollet.com
Eddie Bauer
Costco $
A. & Fitch
Times Online
Press-Telegram
Bloomberg
Swiss Mail
Plaxo
Zappos! $
REI $
Overstock $
Home Depot $
DVD Empire $
Build-A-Bear W.
Best Buy $
Bath & Body W.
Reuters $
Walmart $
Things Rem.
Target $
ShopBop $
Sephora $
Sears $
NewEgg $
Horchow $
Amazon $
ZZ Network TigerDirect $ rediffTimes of India
On The Snow
Topix Ass. Cont. Twitter
W. S. JournalLinkedIn
DiggCraigslistDeviant Art $
Hushmail
Fairfax Dig.
Cafe Press $
MS Live
Wordpress Wash. Post
Yahoo!
Ebay $
Mixx Wikipedia
LiveJournal $
CNBC
Facebook $
Gamespot
AliBaba $
Google $
MySpace
IKEA
Godmail
JCPenney $
Buy.com $
The Golf World
Legend
Identity site
E-commerce site
Content site
Payment $
Cluster of sites
score
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 22 / 28
Findings
1 How does the user experience vary from site to site?2 What implementation weaknesses exist?3 Which circumstantial factors affect sites’ implementation choices?4 How do sites’ security requirements affect their choices?5 Why do websites choose to collect passwords?
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 22 / 28
Content sites want email, marketing data
New York Times
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 23 / 28
Content sites want email, marketing data
Data I E C Tot.
Email address 38 50 49 137Email verified 29 1 35 65Email updates offered 21 42 47 110
Postcode 15 30 34 79Mailing address 5 19 8 32Phone number 5 20 7 32Marketing data 4 6 13 23
Username 35 5 29 69
CAPTCHA 29 3 11 43
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 23 / 28
Economic models
Password over-collection is a tragedy of the commonsPassword insecurity is a negative externality
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 24 / 28
Economic models
Password over-collection is a tragedy of the commonsPassword insecurity is a negative externality
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 24 / 28
Economic models
Password over-collection is a tragedy of the commonsPassword insecurity is a negative externality
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 24 / 28
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
Regulatory fixes
TaxLicensingLiabilityStandards
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 25 / 28
Perspectives
Costco
It’s a thicket out thereThe market is failingPsychological barriers may exist
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 26 / 28
Perspectives
It’s a thicket out thereThe market is failingPsychological barriers may exist
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 26 / 28
Perspectives
It’s a thicket out thereThe market is failingPsychological barriers may exist
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 26 / 28
OpenID to the rescue?
Mixx
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 27 / 28
OpenID to the rescue?
Yahoo!
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 27 / 28
Questions?
[email protected]@cl.cam.ac.uk
Data available online:http://preibusch.de/publ/password-market
J. Bonneau, S. Preibusch (U. of Cambridge) The password thicket June 7, 2010 28 / 28