You Only Live Twice or The Years We Wasted Caring about Shoulder-Surfing

Paper #186: Karen Renaud and Joe Maguiew
You Only Live Twice or The Years We Wasted Caring about Shoulder-Surfing

download full paper

Please add comments and discuss this paper – the liveliness of the discussion will help us decide the most suitable papers to be presented at Alt-HCI in September.

Abstract:  Passwords, in theory, are a good idea. They have the potential to act as a fairly strong gateway to protected information and services. In reality, lots of problems emerge when passwords are used by normal people in their everyday lives. The great thing about passwords is that they are universally accessible, and very easy to add to any application. They are also well-established and a mechanism that users readily understand. However, passwords are also (1) easily shared, (2) trivial to observe and (3) maddeningly elusive when forgotten. Various alternatives to passwords have been proposed, many of which try to address at least one of the problems mentioned above. Alternatives to passwords are often judged harshly because, whereas they might well demonstrate superior memorability, they might well fail in terms of universal accessibility, or require extra effort on the part of the user. There seems to be a reluctance to lose the benefits of passwords and to switch to another mechanism, even if the most glaring flaws of passwords have been addressed. Graphical authentication mechanisms are a case in point. They have demonstrated their superior memorability but still suffer from observability flaws. The question we pose in this article is whether users care about this, and whether this is really the deal-breaker it appears to be in terms of adopting alternatives which are indeed susceptible to observation.


17 thoughts on “You Only Live Twice or The Years We Wasted Caring about Shoulder-Surfing

  1. Passwords are undoubtedly a problem; nearly every website we use seems to want us to register and set up a user name and password, and all have different policies for enforcing password strength, allowing or banning or requiring certain symbols and enforcing periodic password changes. People tend to use the same password for most sites, even though some sites have greater needs for security or privacy than others. The user often doesn’t know how securely the password is stored and who can see it. Some sites send password reminders by email in plain text!

    I’m not convinced that TETRAD in its current form would solve the issues, but I do think there are some good imaginative ideas – particularly the use of image recognition – to address this growing problem.

    Posted by Rob Edlin-White | July 26, 2012, 8:30 am
  2. We spent a lot of time trying to design something that would make it hard for people to observe others’ entering their passwords. This had an associated cost but we found that users felt that the cost outweighed the benefit. So we were actually solving a problem that users didn’t care about. Quite something to discover!

    Posted by Karen Renaud | July 30, 2012, 1:17 pm
  3. Shoulder surfing is a real problem with Banking security where there isnt Digital Certificates – a move towards Digital certificates is just the first step before the next wave of attacks on privacy and fraud needs to be remedied

    Posted by Basil Howard | July 30, 2012, 3:50 pm
  4. I think this paper is unusual in that it hints at the big problem in changing the nature of passwords or authentication; that of inertia. Network designers and administrators as well as users have to be convinced that there is a sufficiently significant threat to make them change operation. Had we thought of graphical based authentication and authorisation in the early days of roll out of systems to the un-technical public it may well have been welcomed, at least by users. But that is not the way it happened. This paper shows that the perceived threat is small so there is unlikely to be a strong drive for change. However, as suggested in the paper, if a significant sector such as finance could be convinced to trial such an approach, then it may become more popular and instigate gradual change in risky areas with groups for whom standard Pin and password approaches are least successful.

    Posted by Wendy Goucher | July 31, 2012, 8:13 am
  5. One of my banks/c’cards (I think MBNA) uses an image – not for authenticating you, but to authenticate them during login and 3-D secure authentication. The latter is especially important as many sites embed the 3 way secure page in an iframe so you can’t see the URL.

    Of course 3DS has a whole host of security problems (maybe it should be renamed 3-D insecure?) as note by Cambridge Comp. Lab. http://www.h-online.com/security/news/item/Researchers-criticise-3D-Secure-credit-card-authentication-914144.html

    With my LloydsTSB debit card I managed to sign up without setting ‘secure phrase’, so that for a long time afterwards I was having to trust the various sites as the phrase was simply a default (the idea of a default secure phrase ought to raise immediate questions!). Each time I thought “I must change this”, logged into my account and reached, and afield to find out how to change it, then after a fruitless time gave up. Eventually, by chance I hit the right part of the site and now it is secure … well at least as secure as anything in 3DS is!

    BTW. Lovely article by Troy Hunt about the security nightmares around Tesco online shopping!

    Posted by alandix | July 31, 2012, 9:04 am
  6. That is called a security skin. It’s a nice idea but research shows loads of people either don’t notice it, or if it doesn’t appear they don’t take that as a sign that they should be concerned. So, as a security technique, it isn’t very efficacious.

    Posted by Karen Renaud | July 31, 2012, 9:11 am
    • This wasn’t helped by the vague way it was explained when I first signed up. I can’t recall the exact form of words, but I had no idea what it was for until I actually saw it appearing in the authentication dialogues. Certainly they did not have big warnings saying “DON’T enter your password if you don’t see this”. I think they probably downplay security as the more they say about it the less people *feel* secure.

      Posted by alandix | July 31, 2012, 10:05 am
  7. Passwords future and current efficiency: this divides professionals and Joe public, divides everyone. Joe the use if passwords ranges from fastidious systems and super awareness of what can go wrong and reckless abandonment where all passwords are shared and freely exchznged. It seems that only the true value of a secure password becomes apparent to all when it has been compromised and by then it is too late..But we will have to address this as I know O am currently the proud owner of at least 23 passwords and counting!!!

    Posted by Michelle Ozturk | July 31, 2012, 8:02 pm
  8. Lot’s of issues around passwords, but I’d like to comment on the paper. I really appreciate the honesty and the reflection that have gone in to reasons for the failures as well as the success of the research.

    Posted by Marco Gillies | August 1, 2012, 5:39 am
  9. As the ‘pleb’ in your scenario – someone who has to use passwords often, but finds it difficult to think of something both secure and memorable, I thought the most interesting part was your thoughts about the laziness of users. I’m interested to see how you can tackle that, and if it’s possible make this as user-friend at input as an alphanumeric password. Even when we know how easy it is for password info to be lost, shared or stolen, people don’t seem discouraged from using them — what would it take to change that? Is it as you say a case of finding the right scenario?

    Posted by elaineoc | August 1, 2012, 7:07 am
  10. laziness = efficiency 😉

    Posted by alandix | August 1, 2012, 7:40 am
  11. yet again I think we hit a consequence of scale. Remember when you only had 5 online thingies and 5 passwords. ah the simpler better days of yore. Unfortunately designers of systems often fail in systems thinking. If I just had to deal with a few apps all would be well. But are you surprised people are lazy by the time they get to the 100th thing they have to have a login and password for? And I may actually resent you not only making me come up with a new login ID and password but yet another kind of passwordy thing with pictures. I don’t care!
    That is so unfair on the noble aims of designers working on improving on the awfulness of the multi-password UX. But it requires us to think about the users experience of yet another damn login/password process. I think this paper describing their experiences with the challenge can help about thinking of designing inside the legacy pile of all our passwords

    Posted by Michael Bernard Twidale | August 1, 2012, 11:06 pm
  12. A refreshing look at the problems with passwords, hopefully this paper will encourage further, candid research into tenable alternative holistic authentication mechanisms to improve the situation.

    Posted by Gareth | August 2, 2012, 11:13 am
  13. I don’t know if passwords are really the problem or, as Michael has mentioned above, if it’s the sheer volume of them we are expected to remember/create. This is compounded by the fact that the majority of them aren’t really protecting anything worth protecting and seem to be more for the services benefit (identifying me as me to better tailor their service) rather than mine (protecting personal data/ bank accounts etc.). I think the former are prime candidates for an alternative authentication mechanism however even TETRAD seems a bit overkill for this purpose and would still suffer from the same ‘volume’ problems password authentication has.

    Posted by Iain McDonald | August 2, 2012, 3:51 pm
  14. Although it doesn’t matter in terms of the line of argument in this paper, I think the authors overstate how indifferent people are to having their password stolen by their friends and family. It’s true it’s a different ballgame, but one with its own subconscious distinctions. It may be OK to take the last slice of pizza, then discuss it; but is it OK to put your hand in someone’s pocket and take their money and only discuss it later? Or to take food off their plate? Among friends I know, some think it’s fine; others get upset even though they are too polite to say so straight off. We maintain different rules on sharing with friends, but we still have them, police them, occasionally have serious bust-ups over them if our maintainence wasn’t good enough.
    I once had a focus group participant explain to me that the central heating controls in a house (their house) were only used by one person, but on behalf of others: apparently quite different from both a personal device (one’s trousers) or a public device (a common-room door handle).

    What this all means is a whole neglected area in HCI in itself.

    Posted by Steve Draper | August 3, 2012, 3:54 pm
  15. I’m going to challenge the paper more fundamentally. The authors’ conclusion is that the way forward is not to address authentication (henceforth “auth.”) as a separate abstract problem on top of the software, but to address auth. Scenarios. I suggest that is not going far enough. There’s a more basic problem.

    But to get warmed up, 3 questions I asked myself:
    1) Why would users of their software have to specify the sequence as well as the set of “secret” people-pictures?
    2) Why use only facebook friends, not those of your doctor, neighbour, teacher?
    3) How on earth does the user remember which 4 friends are their password?

    Now consider a shoulder spy looking at the array. Such a friend would probably see the doctor etc. as strangers and so probably part of the secret. On another hand, they would be in a fair position to guess what bound 4 together, given that they are your friends (e.g. the ones you met at school; the gang who went to Ibiza together; your flatmates last year).

    This made me think that the fundamental problem isn’t about pics vs. text. Their software will fail for reasons they don’t discuss: that people will have at least as much trouble remembering their password made of pics as made of letters. I come back after 6 months to see an array of faces, all familiar to me: how do I remember the 4 (or whatever) that I once chose? By a rule. If I can do it, others also have a significant chance of predicting the rule I used. It is the same problem we have with text passwords.

    (Actually, to really use a pic. System based on humans’ special abilities at remembering faces: what you do is the array presented has only one face that is the secret, but use different pics of the one person on different trials. It also should typically have faces quite similar to the secret one, but actually of a different person. If spies do not already know the person who is the secret, then they won’t be able to pick out a picture another time that is right. What is not widely known outside the face recog., community is that we are rubbish at recognising a real person from a photo if they are a stranger to us; but excellent at picking out photos of people we already know well. Passport photos are seriously unfit for the purpose to which they are apparently put. If you show CCTV to a criminal they usually confess because to them, it is so clear they are shown. To a jury or witness, they won’t be able to pick the criminal out of a line-up from the CCTV. So if you use photos not familiar to the spies, overlooking actually does NOT give away a reusable password, any more than seeing a yale key lets an onlooker duplicate it.)

    Instead, the real way forward is to recognise and address that a password system has to be analysed for not one but its two modes of use: Malicious attacks are by a machine doing combinatorial search and/or a spy who copies down the password on a bit of paper without understanding any meaning in the string; but the user has to remember it, and basic psychology tells us that they have very little chance of remembering it unless it is somehow a “chunk” to them e.g. there is an implicit rule in it (it is a name, it is a sequence like 8642 as a PIN). An example based on one Katona used would be: 192 226 293 336, and knowing the rule I can calculate the next digits, but others mostly cannot.
    Katona, G. (1940). Organizing and memorizing. New York, NY, US: Columbia University Press.

    The way forward is to tackle this dual requirement, A string can be seen as a meaningless string in some alphabet AND as a meaningful sequence generated by a rule. Knowing either one gives you auth. Understanding this carves the space of possible auth. mechanisms up differently when added to a scenario. E.g.:

    You have the case where no-one can remember it at a glance (no rule). Brass yale keys are like this: seeing someone’s keys doesn’t help you, neither the owner nor the spy can remember their shape and so duplicate them. (Of course by the end of today there will be an app. that takes a photo of a key, corrects the perspective from the shoulder spy glimpse to an orthogonal view, sends it to a web service, and a duplicate is mailed back.) A string of 10 chars should be like this (working memory is 7+2 = 9 max) if it is truly random. So if spies aren’t allowed to write down the string (or photograph the key) they all will work.

    The case of really no spying allowed: even a 2 digit PIN (with a 3 try limit) should work well here. How to get really-no-spying? Echo * not chars, require typing under a cloth (use a photocell to check the cloth is in place); chars rotate in a ring and you keypress to pick the char you want, so the information is in the timing, …

    Or the case where a mixture of rule and sampling means only exhaustive spying over many cases with recording would crack it. E.g. a 10 char (or 30 char) password that forms a rule, but each challenge only asks for a different 3 of them each time, so remembering the 3 you saw doesn’t help when you try to use it on the next challenge.

    Another mixture I know one person uses is he writes down his PINs, but has a rule for transforming them. E.g. if he wrote 8351 then the pin is actually 9462 (add 1 to each). He only has to remember one rule, and the rest is recorded and carried around. This not only illustrates combinations of rule and record; but also the combination of memory and carrying a record with you as you do with a brass key.

    Or: you choose a rule as your password. Each challenge shows you 4 digits and you must type in the next 4 in he sequence. A ‘weak’ password would be add 1 modulo 10 to each digit; a better one would be like Katona’s example rule: assume the digits represent 2 numbers of 2 digits each. Add 3 or 4 alternately to generate the next 2 numbers (4 digits).

    The space of human-usable rules is bigger than you thinking, but still tiny to combinatorial attack. Like a 4 digit PIN is. But at least it addresses the actual problem of how a human can carry the key around, instead of long textual passwords which utterly ignore this defining requirement of the problem.

    Posted by Steve Draper | August 5, 2012, 4:26 pm
  16. Hi webmaster do you need unlimited content for your page ?
    What if you could copy article from other sites, make it unique
    and publish on your website – i know the right tool for you, just type in google:

    luiqight’s article tool

    Posted by Jack | January 15, 2015, 12:07 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s



  • No categories
%d bloggers like this: