Blase Ur, University of Chicago
Despite decades of research into developing security advice and interfaces, users still struggle to make passwords. This talk will survey our work using data-driven methods to help users make better passwords. I will first describe how we modeled password-guessing attacks and subsequently investigated whether users' perceptions of password security match reality. Afterwards, I will present our design and evaluation of a user-centered, data-driven password meter. Using neural networks, we created a fast, compact, and accurate model of password guessing. We augmented this approach with carefully combined heuristics to construct a password meter that explains to users what is wrong with their password or how to improve it. Through a large-scale online study, we found that such a meter leads users to create much more secure passwords without significantly impacting memorability.
Blase Ur is Neubauer Family Assistant Professor of Computer Science at the University of Chicago, where he and his students are the Security, Usability, and Privacy Education & Research group (SUPERgroup). His recent work focuses on data-driven methods to help users make better security and privacy decisions, in addition to improving the usability of complex computer systems. He received best paper awards at CHI 2017, USENIX Security 2016, and UbiComp 2014, as well as honorable mentions at CHI 2016 and CHI 2012. He holds a Ph.D. and an M.S. from Carnegie Mellon University, as well as an A.B. from Harvard University.