STS Thesis Proposal: Privacy and Trust of Password Managers

Transcript

1. Privacy and Trust in Password Managers 2 November, 2016 Sam

   Havron

2. ➔ What is Digital Trust? ➔ What about Privacy? ➔

   Why should we care?

3. Understanding Password Managers ➔ Are Privacy and Trust Broken? ◆

   “LastPass Bug Lets Hackers Steal all Your Passwords” (Khandelwal, July 2016) ◆ “1Password leaks all of your bookmarks” (Titcomb, October 2015) ◆ “Hacking Tool Swipes Encrypted Credentials [from KeePass]” (Goodlin, November 2015) ◆ … who is next? ➔ Putting Eggs in one basket … ← trusted manager of your secrets

4. “No one can hack my mind” ➔ Practices of Experts,

   Non-Experts (SOUPS 2015 paper by Google researchers) ◆ Most important practices for protecting their security online? ◆ Experts: “Installing Updates, Using Two Factor Auth., Using a Password Manager” ◆ Non-experts: “Antivirus software, visiting known websites, changing password frequently” ➔ “password managers were regarded with skepticism by non-experts, who instead preferred to remember passwords, partly because, as one participant said, ‘no one can hack my mind.’” ➔ Social Worlds Framework (Clark & Star, 2008)

5. “Mark Zuckerberg says the future of communication is telepathy.” (WashPost,

   July 2015)

6. PM Awareness and Usage Amongst Non-Experts ➔ Are non-experts aware

   of password managers? ➔ Are password managers usable? (USENIX paper by Chiasson, 2006) ◆ “...uncomfortable with ‘relinquishing control’” ◆ Users misunderstanding feedback and strength of passwords ➔ How can we understand usability weaknesses and improve them?

7. Research Question ➔ How have norms concerning digital privacy and

   trust, as explored through the case of password managers, developed/changed/shifted [choose an appropriate verb] amongst computer security experts and the general public? ➔ What factors contribute to patterns of awareness and use of password managers in these different social worlds? Puzzle: Can we define a social arena between experts and non-experts? What gaps in awareness, understanding, and practice exist, and why?

8. Can we build trust in password managers? ➔ Introducing “horcrux-manager”

   ➔ Build trust by distributing it - what could go wrong?

9. Privacy and Trust at UVA ➔ Google organizations, Collab ➔

   “When a [person] assumes a public trust, [s/he] should consider [her/himself] as public property.” - Thomas Jefferson ➔ What can we learn from UVA students, “experts” and “non-experts”?

10. References (APA) Chiasson, S., van Oorschot, P. C., & Biddle,

    R. (2006, August). A Usability Study and Critique of Two Password Managers. In Usenix Security (Vol. 6). Clarke, A. E., & Star, S. L. (2008). The social worlds framework: A theory/methods package. The Handbook of Science & Technology Studies, 3, 113-137. Dewey, C. (2015, July 1). Mark Zuckerberg says the future of communication is telepathy. Here’s how that would actually work. Washington Post. Retrieved from https://www.washingtonpost.com/news/the-intersect/wp/2015/07/01/mark-zuckerberg-says-the-future-of-communication-is-telepathy-heres-how-tha t-would-actually-work/ Goodin, D. (2015, November 2). Hacking tool swipes encrypted credentials from password manager. ars technica. Retrieved from http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/ Ion, I., Reeder, R., & Consolvo, S. (2015). “... no one can hack my mind”: Comparing Expert and Non-Expert Security Practices. In Eleventh Symposium on Usable Privacy and Security (SOUPS 2015) (pp. 327-346). Khandelwal, S. (2016, July 27). LastPass bug lets hackers steal all your passwords. The Hacker News. Retrieved from http://thehackernews.com/2016/07/lastpass-password-manager.html Titcomb, J. (2015, October 19). Password manager 1Password criticised for leaking users’ bookmarks. The Telegraph. Retrieved from http://www.telegraph.co.uk/technology/internet-security/11939920/Password-manager-1Password-criticised-for-leaking-users-bookmarks.html