under 40 % of respondents reported being likely to do so. These
intentions did not vary signicantly whether or not the notication
explicitly encouraged respondents to take these actions. Future
work could investigate whether describing the exact situation the
given user is in even more explicitly, as well as why these particular
actions are crucial in mitigation, might be more successful.
Our work thus underscores that it is unreasonable to expect
users to maintain dozens of distinct and secure passwords simply
by telling them to do so. Although notications are a critical source
of information to incite positive change in users’ online security be-
haviors, they are only a band-aid on a gaping wound. In addition to
improving notications, we recommend devising ecosystem-level
strategies to combat password reuse. Individual account providers
cannot prevent password reuse across services without direct co-
operation with others [
64
]. As our respondents already expressed
much confusion about how providers “had this information in the
rst place, who they got it from and how they got it” (R159), other
actors may be better positioned to make a dierence.
Password managers and web browsers have a unique viewpoint
on the full spectrum of a user’s passwords that individual providers
do not. Specically, they have the opportunity to identify and pre-
vent password reuse when users create, change, or import pass-
words. Unfortunately, current implementations of many password
managers and browsers permit users to reuse passwords across
accounts, often not even warning those users about why this is
problematic. This behavior could be out of fear that users would
not use those password managers or browsers if they felt burdened
by onerous actions. Future work should thus investigate how pass-
word managers and browsers can be more explicit in preventing
password reuse while maintaining a positive user experience. The
current state of password reuse results from many actors’ decisions.
Remediation will require the contributions of many more.
REFERENCES
[1]
Parag Agrawal. 2018. Keeping Your Account Secure. https://blog.twitter.com/
ocial/en_us/topics/company/2018/keeping-your-account-secure.html.
[2]
Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in Warningland: A Large-
Scale Field Study of Browser Security Warning Eectiveness. In Proc. USENIX
Security Symposium. 257–272.
[3]
Lujo Bauer, Cristian Bravo-Lillo, Elli Fragkaki, and William Melicher. 2013. A
Comparison of Users’ Perceptions of and Willingness to Use Google, Facebook,
and Google+ Single-sign-on Functionality. In Proc. DIM. 25–36.
[4]
Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012.
The Quest to Replace Passwords: A Framework for Comparative Evaluation of
Web Authentication Schemes. In Proc. IEEE S&P. 553–567.
[5]
Cristian Bravo-Lillo, Lorrie Cranor, Saranga Komanduri, Stuart Schechter, and
Manya Sleeper. 2014. Harder to Ignore? Revisiting Pop-Up Fatigue and Ap-
proaches to Prevent It. In Proc. SOUPS. 105–111.
[6]
Christian Bravo-Lillo, Lorrie Faith Cranor, Julie S. Downs, and Saranga Koman-
duri. 2011. Bridging the Gap in Computer Security Warnings: A Mental Model
Approach. IEEE Security & Privacy Magazine 9, 2 (March 2011), 18–26.
[7]
Cristian Bravo-Lillo, Saranga Komanduri, Lorrie Faith Cranor, Robert W. Reeder,
Manya Sleeper, Julie Downs, and Stuart Schechter. 2013. Your Attention Please:
Designing Security-decision UIs to Make Genuine Risks Harder to Ignore. In
Proc. SOUPS. 6:1–6:12.
[8]
Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer,
Lorrie Cranor, and Nicolas Christin. 2018. “It’s Not Actually That Horrible”:
Exploring Adoption of Two-Factor Authentication at a University. In Proc. CHI.
456:1–456:11.
[9]
Sam Croley (“Chick3nman”). 2018. Abusing Password Reuse at Scale: Bcrypt and
Beyond. https://www.youtube.com/watch?v=5bYvTPVXC18&t=6h05m00s.
[10]
Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng
Wang. 2014. The Tangled Web of Password Reuse. In Proc. NDSS.
[11]
Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You’Ve Been Warned:
An Empirical Study of the Eectiveness of Web Browser Phishing Warnings. In
Proc. CHI. 1065–1074.
[12]
Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov,
and Cormac Herley. 2013. Does My Password Go Up to Eleven?: The Impact of
Password Meters on Password Selection. In Proc. CHI. 2379–2388.
[13]
Michael Fagan, Yusuf Albayram, Mohammad Mai Hasan Khan, and Ross Buck.
2017. An Investigation Into Users’ Considerations Towards Using Password
Managers. Human-centric Computing and Information Sciences 7, 1 (2017), 12.
[14]
Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. 2013. On the
Ecological Validity of a Password Study. In Proc. SOUPS. 13:1–13:13.
[15]
Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas
Thyagaraja, Alan Bettes, Helen Harris, and Je Grimes. 2015. Improving SSL
warnings: Comprehension and Adherence. In Proc. CHI. 2893–2902.
[16]
Dinei Florencio and Cormac Herley. 2007. A Large-scale Study of Web Password
Habits. In Proc. WWW. 657–666.
[17]
Dinei Florêncio, Cormac Herley, and Paul C. van Oorschot. 2014. Password
Portfolios and the Finite-Eort User: Sustainably Managing Large Numbers of
Accounts. In Proc. USENIX Security Symposium. 575–590.
[18]
Dinei Florêncio, Cormac Herley, and Paul C. van Oorschot. 2016. Pushing on
String: The “Don’t Care” Region of Password Strength. Commun. ACM 59, 11
(Oct. 2016), 66–74.
[19]
David Mandell Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, and
Giorgio Giacinto. 2016. Who Are You? A Statistical Approach to Measuring User
Authenticity. In Proc. NDSS.
[20]
Shirley Gaw and Edward W. Felten. 2006. Password Management Strategies for
Online Accounts. In Proc. SOUPS. 44–55.
[21]
Maximilian Golla, Theodor Schnitzler, and Markus Dürmuth. 2018. “Will Any
Password Do?” Exploring Rate-Limiting on the Web. In Proc. WAY.
[22]
Dan Goodin. 2012. Why Passwords Have Never Been Weaker–and Crackers
Have Never Been Stronger. https://arstechnica.com/information-technology/
2012/08/passwords-under-assault/.
[23]
Google. 2010. Detecting Suspicious Account Activity. https://security.googleblog.
com/2010/03/detecting-suspicious-account-activity.html.
[24] Google, Inc. 2018. 2-Step Verication. https://www.google.com/landing/2step/.
[25]
Jeremi M. Gosney. 2017. Nvidia GTX 1080 Ti Hashcat Benchmarks. https:
//gist.github.com/epixoip/ace60d09981be09544fdd35005051505.
[26]
Weili Han, Zhigong Li, Minyue Ni, Guofei Gu, and Wenyuan Xu. 2018. Shadow
Attacks Based on Password Reuses: A Quantitative Empirical Analysis. IEEE
Transactions on Dependable and Secure Computing 15, 2 (April 2018), 309–320.
[27]
Cormac Herley and Paul C. van Oorschot. 2012. A Research Agenda Acknowl-
edging the Persistence of Passwords. IEEE Security & Privacy Magazine 10, 1 (Jan.
2012), 28–36.
[28]
Karen Holtzblatt and Hugh Beyer. 2016. Contextual Design (second ed.). Elsevier.
[29]
Jun Ho Huh, Hyoungshick Kim, Swathi S.V.P. Rayala, Rakesh B. Bobba, and
Konstantin Beznosov. 2017. I’m Too Busy to Reset My LinkedIn Password: On
the Eectiveness of Password Reset Emails. In Proc. CHI. 387–391.
[30]
Troy Hunt. 2017. Password Reuse, Credential Stung and Another Billion
Records in Have I Been Pwned? https://www.troyhunt.com/password-reuse-
credential-stung-and-another-1-billion-records-in-have-i-been-pwned/.
[31]
Troy Hunt. 2018. Have I Been Pwned? Check If Your Email Has Been Compromised
in a Data Breach. https://haveibeenpwned.com.
[32]
David Jaeger, Chris Pelchen, Hendrik Graupner, Feng Cheng, and Christoph
Meinel. 2016. Analysis of Publicly Leaked Credentials and the Long Story of
Password (Re-)use. In Proc. PASSWORDS.
[33]
Alexander Jenkins, Murugan Anandarajan, and Rob D’Ovidio. 2014. ’All that Glit-
ters is not Gold’: The Role of Impression Management in Data Breach Notication.
Western Journal of Communication 78, 3 (Jan. 2014), 337–357.
[34]
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek,
Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of
Passwords and People: Measuring the Eect of Password-composition Policies.
In Proc. CHI. 2595–2604.
[35]
Frauke Kreuter, Stanley Presser, and Roger Tourangeau. 2008. Social Desirability
Bias in CATI, IVR, and Web SurveysThe Eects of Mode and Question Sensitivity.
Public Opinion Quarterly 72, 5 (2008), 847–865.
[36]
Jon A Krosnick. 1999. Survey Research. Annual Review of Psychology 50, 1 (1999),
537–567.
[37]
Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song. 2014. The Emperor’s
New Password Manager: Security Analysis of Web-based Password Managers.
In Proc. USENIX Security Symposium. 465–479.
[38]
Deborah Logan. 2015. British Airways Among Latest Breaches. Network Security
2015, 4 (April 2015), 2–20.
[39]
Chris Long. 2014. Keeping Passwords Secure. https://www.facebook.com/notes/
protect-the-graph/keeping-passwords-secure/1519937431579736/.
[40]
William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer,
Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, Lean, and Accurate: Mod-
eling Password Guessability Using Neural Networks. In Proc. USENIX Security
Symposium. 175–191.
[41] Grzergor Milka. 2018. Anatomy of Account Takeover. In Proc. Enigma.
[42]
Saif M. Mohammad and Peter D. Turney. 2013. Crowdsourcing a Word-Emotion
Association Lexicon. Computational Intelligence 29, 3 (2013), 436–465.