Kirk Ouimet and Dr. Anthony Vance
At the beginning of the year Tony and I started our journey to find out if real-time feedback during the account creation process on a website would result in users creating stronger passwords. While the project has been larger than we thought, I am very pleased with the progress we’ve made. We are not finished with our study and will continue to work on it throughout the rest of this year.
So, what have we done?
1. WE PROGRAMMED A WEB SERVICE TO ANALYZE PASSWORDS IN REAL-TIME
This actually turned out to be exceptionally difficult. We wanted our service to receive a password and compare it to a list of millions of known passwords in order to estimate its susceptibility to cracking. Tony oversaw the creation of a Python service the Information Systems department would host on a server in the Marriott School. We need the service to be extremely fast, as close to real-time as possible, so the user can receive instant feedback on the quality of their passwords. In order to do this our program consumes a very large amount of memory. We kept on crashing the server as our program would hog all of the available memory. We did some optimization, and now the service has been up for a month without crashing. After we had this password analyzing service built out, we had to start on our actual experiment.
2. WE CRAFTED OUR EXPERIMENT
Our experiment has turned out to be much more awesome than originally planned. We broke up our experiment into four different treatments and a control group. We are running the experiment on a live website with real traffic. Each treatment delivers a different type of feedback to the user during the account creation process. When they type in a password for their new account, they might see:
a. Nothing (control group)
b. Static text explaining the importance of having a strong password
c. Dynamic text that describes specifically how the current password they entered can be improved
d. A simple password strength bar that fills up to reflect the strength of their password
e. A password strength bar and dynamic text, as shown in the screenshot on the next page
Right now we are running this on a live site I own and manage. We have received over 400 points of data, but still need to gather more data in order for our analysis to be complete. We are currently expecting to have all of the data we need by the end of July, 2011.
After we finish with the data collection process, we will analyze all of the data in depth to look for useful information. We are interested in seeing if users change their password creation behavior based on the treatment they receive. All of our analysis will go into a research paper that will be submitted to various journals in the Information Systems world.
It has been a pleasure to work so closely with Tony as my mentor. He has been patient with me and has taken every opportunity to fill out my knowledge of systems security. I am excited to work with him throughout the rest of the year to complete our project.
Lastly, I am very thankful for the ORCA program that has made our project possible.