Forcing Johnny to Login Safely

Long-Term User Study of Forcing and Training Login Mechanisms
  • Amir Herzberg
  • Ronen Margulies
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6879)


We present the results of the first long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70% detection rates, which is significantly better than passive indicators’ results [15,8,12]. We also found that login bookmarks, when used together with ‘non-working’ links, doubled the prevention rates of reaching spoofed login pages in the first place. Combining these mechanism provides effective prevention and detection of phishing attacks, and when several images are displayed in the login page, the best detection rates (82%) and overall resistance rates (93%) are achieved. We also introduce the notion of negative training functions, which train users not to take dangerous actions by experiencing failure when taking them.


Detection Rate User Study Resistance Rate Home Page Force Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aaron, G., Rasmussen, R.: Global Phishing Survey: Trends and Domain Name Use in 2H2009. Anti-Phishing Working Group (May 2010),
  2. 2.
    Adida, B.: Beamauth: two-factor web authentication with a bookmark. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 48–57. ACM, New York (2007)Google Scholar
  3. 3.
  4. 4.
    Cialdini, R.: Influence: Science and Practice, 5th edn. Allyn and Bacon, Boston (2008)Google Scholar
  5. 5.
    Dhamija, R., Tygar, J.D.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM Press, New York (2006)CrossRefGoogle Scholar
  6. 6.
    Dvorkin, A.: Evaluation of the Tools for User Protection against Web Site and Electronic Mail Based Attacks. Master’s thesis, Bar-Ilan University (December 2008)Google Scholar
  7. 7.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: CHI 2008: Proceeding of the Twenty-sixth Annual SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM, New York (2008)CrossRefGoogle Scholar
  8. 8.
    Herzberg, A.: Why Johnny can’t surf (safely)? Attacks and defenses for web users. Computers & Security (2008)Google Scholar
  9. 9.
    Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Techn. 8(4) (2008)Google Scholar
  10. 10.
    Herzberg, A., Margulies, R.: Long-term user study of forcing and training login mechanisms against phishing. Tech. rep., Bar Ilan University (March 2011),
  11. 11.
    Karlof, C., Tygar, J.D., Wagner, D.: Conditioned-safe ceremonies and a user study of an application to web authentication. In: SOUPS 2009: Proceedings of the 5th Symposium on Usable Privacy and Security (2009)Google Scholar
  12. 12.
    Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: SP 2007: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 51–65. IEEE Computer Society, Washington, DC, USA (2007)Google Scholar
  13. 13.
    Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: CHI 2009: Proceedings of the 27th International Conference on Human Factors in Computing Systems, pp. 1983–1992. ACM, New York (2009)Google Scholar
  14. 14.
    Sotirakopoulos, A., Hawkey, K., Beznosov, K.: “i did it because i trusted you”: Challenges with the study environment biasing participant behaviours. In: SOUPS User Workshop (2010)Google Scholar
  15. 15.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI 2006: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM, New York (2006)Google Scholar
  16. 16.
    Better website identification and extended validation certificates in ie7 and other browsers (November 2005), published in Microsoft Developer Network’s IEBlog
  17. 17.
  18. 18.
    Yee, K.-P., Sitaker, K.: Passpet: convenient password management and phishing protection. In: SOUPS 2006: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 32–43. ACM, New York (2006)CrossRefGoogle Scholar
  19. 19.
    Gartner survey shows phishing attacks escalated in 2007 more than $3 billion lost to these attacks (2007),
  20. 20.
    Gartner says number of phishing attacks on u.s. consumers increased 40 percent in 2008 (2008),
  21. 21.
    Mcafee siteadvisor (2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Amir Herzberg
    • 1
  • Ronen Margulies
    • 1
  1. 1.Dept. of Computer ScienceBar Ilan UniversityIsrael

Personalised recommendations