Expert Password Management

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9551)


Experts are often asked for advice about password management, but how do they manage their own passwords? We conducted interviews with researchers and practitioners in computer security, asking them about their password management behaviour. We conducted a thematic analysis of our data, and found that experts described a dichotomy of behaviour where they employed more secure behaviour on important accounts, but had similar practices to non-expert users on remaining accounts. Experts’ greater situation awareness allowed them to more easily make informed decisions about security, and expert practices can suggest ways for non-experts to better manage passwords.


Situation Awareness Computer Security Security Expert Multiple Account Security Practice 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would especially like to thank all of the computer security experts who lent their time, experience, and insight to our interviews. We also acknowledge support from the Natural Sciences and Engineering Research Council of Canada: Discovery Grant RGPIN 311982-2010.


  1. 1.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  2. 2.
    AgileBits. 1Password Watchtower (2015).
  3. 3.
    Asgharpour, F., Liu, D., Camp, L.J.: Mental models of security risks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 367–377. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, pp. 538–552. IEEE (2012)Google Scholar
  5. 5.
    Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3(2), 77–101 (2006)CrossRefGoogle Scholar
  6. 6.
    Codenomicon. The Heartbleed Bug, April 2014.
  7. 7.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Network and Distributed System Security Symposium (NDSS). Internet Society, February 2014Google Scholar
  8. 8.
    eBay. eBay Inc., To Ask eBay Users To Change Passwords, May 2014.
  9. 9.
    Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., Herley, C.: Does my password go up to eleven?: the impact of password meters on password selection. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI), pp. 2379–2388. ACM (2013)Google Scholar
  10. 10.
    Endsley, M.R.: Design and evaluation for situation awareness enhancement. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp. 97–101 (1988)Google Scholar
  11. 11.
    Endsley, M.R.: Expertise and situational awareness. In: Ericsson, K.A., Charness, N., Feltovich, P.J., Hoffman, R.R. (eds.) The Cambridge Handbook of Expertise and Expert Performance. Cambridge University Press, Cambridge (2006)Google Scholar
  12. 12.
    Ericsson, K.A.: An introduction to the cambridge handbook of expertise and expert performance. In: The Cambridge Handbook of Expertise and Expert Performance, pp. 3–20. Cambridge University Press, Cambridge (2006)Google Scholar
  13. 13.
    Fitzpatrick, J.: How to Run a Last Pass Security Audit (and Why It Can’t Wait).
  14. 14.
    Florencio, D., Herley, C.: A Large-scale study of web password habits. In: International World Wide Web Conference (WWW). ACM, May 2007Google Scholar
  15. 15.
    Florencio, D., Herley, C., van Oorschot, P.C.: Password portfolios and the finite-effort user: sustainably managing large numbers of accounts. In: Proceedings of the 23rd USENIX Security Symposium. USENIX, August 2014Google Scholar
  16. 16.
    Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the 2nd Symposium on Usable Privacy and Security (SOUPS). ACM, July 2006Google Scholar
  17. 17.
    Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23(3), 256–267 (2011)CrossRefGoogle Scholar
  18. 18.
    Hayashi, E., Hong, J.: A diary study of password usage in daily life. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI). ACM, May 2011Google Scholar
  19. 19.
    Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the Workshop on New Security Paradigms (NSPW). ACM, September 2009Google Scholar
  20. 20.
    Ion, I., Reeder, R.W., Consolvo, S.: “..No one can hack my mind”: comparing expert and non-expert security practices. In: Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2015Google Scholar
  21. 21.
    Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere:” user mental models of the internet and implications for privacy and security. In: Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2015Google Scholar
  22. 22.
    Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  23. 23.
    Norman, D.A.: When security gets in the way. ACM SIGCSE Bull. 16(6), 60 (2009)Google Scholar
  24. 24.
    Notoatmodjo, G.: Exploring the ‘Weakest Link’: A Study of Personal Password Security. Master’s thesis, The University of Auckland, New Zealand, November 2007Google Scholar
  25. 25.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.M., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the 6th Symposium on Usable Privacy and Security. ACM, June 2010Google Scholar
  26. 26.
    Simon, H.A.: The structure of Ill-structured problems. In: Models of Discovery, pp. 304–325. D. Reidel Publishing, Dordrecht (1977)Google Scholar
  27. 27.
    Stobert, E., Biddle, R.: The password life cycle: user behaviour in managing passwords. In: Proceedings of the 10th Symposium on Usable Privacy and Security (SOUPS). USENIX, July 2014Google Scholar
  28. 28.
    von Zezschwitz, E., De Luca, A., Hussmann, H.: Survival of the shortest: a retrospective analysis of influencing factors on password composition. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013, Part III. LNCS, vol. 8119, pp. 460–467. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  29. 29.
    Wash, R.: Folk models of home computer security. In: Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS). ACM, July 2010Google Scholar
  30. 30.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS). ACM, October 2010Google Scholar
  31. 31.
    Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63(1–2), 102–127 (2005)CrossRefGoogle Scholar
  32. 32.
    Zviran, M., Haga, W.J.: Password security: an empirical study. J. Manage. Inf. Syst. 15(4), 161–185 (1999)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.ETH ZürichZürichSwitzerland
  2. 2.Carleton UniversityOttawaCanada

Personalised recommendations