Jun 26 2008


Published by

Abstracts Hidden/Shown

Forget, A., Chiasson, S., & Biddle, R. (2008). Lessons from Brain Age on Password Memorability. ACM Future Play, Toronto, Canada: ACM.

User authentication involves establishing a user’s right to access a system. Most user authentication is done with text passwords, which have advantages over other approaches, but more secure passwords are often difficult to remember. Nintendo’s Brain Age games involve cognitive training which can improve memory. We examined Brain Age in search of insights towards helping users create and remember more secure passwords. Although Brain Age offers no techniques for memorising specific information, we discovered ideas for a new type of serious game that may help with password memorisation: Password Rehearsal Games.


Le Blanc, D., Chiasson, S., Forget, A., & Biddle, R. (2008). Can eye gaze reveal graphical passwords?
ACM Symposium on Usable Privacy and Security (SOUPS). Pittsburgh, USA: ACM.

Graphical passwords have been proposed as an alternative to text passwords. These new authentication mediums are of much interest to researchers today due to their potential for usability and security. However, we must also consider new threats they may present. We are interested in the effects that visual attention and visual search have on the creation and maintenance of graphical passwords, and whether eye fixations can predict the location of these passwords. If eye fixations are good predictors, then the security of graphical passwords is considerably weakened.


Martin, A., Noble, J., & Biddle, R. (2008). Experience on the human side of agile. Agile Processes
in Software Engineering and Extreme Programming, Vol. 9 of Lecture Notes in Business Information
Processing (pp. 234–235). Springer Berlin Heidelberg.

This brief paper describes an XP2008 conference workshop on the subject of experience on the human side of agile development. By this, we include such topics as the customer role, user interaction design, and the social nature of teams. The workshop will allow practitioners and researchers interested in these topics to develop a common map of resources, and a model to assist collaboration on further exposition and study.


Sobey, J., Biddle, R., van Oorschot, P., & Patrick, A. S. (2008). Exploring user reactions to new browser
cues for extended validation certicates. Computer Security ESORICS 2008 (To Appear, Lecture Notes
in Computer Science. Springer Berlin / Heidelberg.

With the introduction of Extended Validation SSL certificates in Internet Explorer 7.0, web browsers are introducing new indicators to convey status information about different types of certificates. We carried out a user study which compared a proposed new interface in the Mozilla Firefox browser with an alternative interface of our own design to investigate how users react to these new indicators. Our study in- cluded eye tracking data which provided empirical evidence with respect to which parts of the browser interface users tended to look at during the study and which areas went unnoticed. Our results show that, while the new interface features in the unmodified Firefox browser went unnoticed by all users in our study, the modified design was noticed by over half of the participants, and most users show a willingness to adopt these features once made aware of their functionality.


Chiasson, S., Forget, A., Biddle, R., , & van Oorschot, P. (2008). Influencing users towards better
passwords: Persuasive cued click-points. Proceedings of Human-Computer Interaction 2008. British
Computer Society.

Usable security has unique usability challenges because the need for security often means that standard human-computer-interaction approaches cannot be directly applied. An important usability goal for authentication systems is to support users in selecting better passwords, thus increasing security by expanding the effective password space. In click-based graphical passwords, poorly chosen passwords lead to the emergence of hotspots – portions of the image where users are more likely to select click-points, allowing attackers to mount more successful dictionary attacks. We use persuasion to influence user choice in click-based graphical passwords, encouraging users to select more random, and hence more secure, click-points. Our approach is to introduce persuasion to the Cued Click-Points graphical password scheme of Chiasson et al. (ESORICS 2007). Our resulting scheme significantly reduces hotspots while still maintaining its usability.


Chiasson, S., Srinivasan, J., Biddle, R., & van Oorschot, P. (2008). Centered discretization with application to graphical passwords. Proceedings of Usability, Psychology, and Security 2008. San Francisco, USA: Usenix Press.

Discretization is used in click-based graphical passwords so that approximately correct entries can be accepted by the system. We show that the existing discretization scheme of Birget et al.(2006) allows for false accepts and false rejects because the tolerance region is not guaran- teed to be centered on the original click-point, causing usability and security concerns. Using empirical data from a large user study, we show that this is a significant issue in practice. We then introduce Centered Discretization, a simpler discretization method that eliminates false accepts and false rejects. It also allows for smaller tolerance regions without impacting the usability of the system.


Forget, A., & Biddle, R. (2008). Memorability of persuasive passwords. CHI ’08: CHI ’08 extended abstracts on Human factors in computing systems (pp. 3759–3764). New York, NY, USA: ACM.

Text passwords are the primary authentication method used for most online services. Many online users select weak passwords. Regrettably, most proposed methods of strengthening passwords compromise memorability.  This paper explores a lightweight password creation mechanism’s effect on password memorability. Our system employs Persuasive Technology to assist users in creating stronger passwords. Results show that our improvement scheme affected password memorability only for users who created secure passwords before the system applied its improvement. This result warns researchers to not alienate users who are already security-aware when trying to assist security-unaware users to behave more securely.


Forget, A., Chiasson, S., & Biddle, R. (2008). Accessibility and graphical passwords. Symposium on Accessible Priavcy and Security. Pittsburgh, USA.

Password restriction policies and advice on creating secure passwords have limited effects on password strength. Influencing users to create more secure passwords remains an open problem. We have developed Persuasive Text Passwords (PTP), a text password creation system which leverages Persuasive Technology principles to influence users in creating more secure passwords without sacrificing usability. After users choose a password during creation, PTP improves its security by placing randomly-chosen characters at random positions into the password. Users may shuffle to be presented with randomly-chosen and positioned characters until they find a combination they feel is memorable. In this paper, we present an 83-participant user study testing four PTP variations. Our results show that the PTP variations significantly improved the security of users’ passwords.  We also found that those participants who had a high number of random characters placed into their passwords would deliberately choose weaker pre-improvement passwords to compensate for the memory load. As a consequence of this compensatory behaviour, there was a limit to the gain in password security achieved by PTP.


Forget, A., Chiasson, S., van Oorschot, P., & Biddle, R. (2008). Persuasion for stronger passwords. Third International Conference on Persuasive Technology for Human Well-Being. Oulu, Finland: Springer-Verlag.

Text passwords are the ubiquitous method of authentication, used by most people for most online services. Many people choose weak passwords that are vulnerable to attackers who simply guess all the passwords within the most probable password spaces. This paper describes a lightweight password creation mechanism that uses Persuasive Technology to influence users to create stronger passwords. Results from a pilot study show that our Persuasive Text Passwords (PTP) prototype system successfully influenced users to create and remember more secure passwords.


Khaled, R., Fischer, R., Noble, J., & Biddle, R. (2008). A qualitative study of culture and persuasion
in a smoking cessation game. Third International Conference on Persuasive Technology for Human
Well-Being. Oulu, Finland: Springer-Verlag.

To explore the issue of culture in persuasive technology, we identified strategies distinguishing individualist or collectivist audiences, and developed two versions of a prototype game.  In this paper we report on a qualitative study of this game. The game concerned smoking cessation, and set in a New Zealand context, where one version was designed for individualist New Zealand Europeans, and the other for collectivist New Zealand Maori. Our qualitative study involved people from each group playing each of the two games. Using a “think-aloud”‘ protocol, we recorded player comments and reflections that show the effect of our design on their behaviour. The results of the study show the designs were interpreted differently according to the audiences playing them, and reveal detail about culture and persuasion.