Usability of adviceMuch advice on passwords is contradictory, confusing, and context-free. I propose a Scale for Evaluating Password Advice (SEPA)
1. Does the advice give due prominence to haveibeenpwned.com?
2. Is the advice tailored to specific users and contexts (use cases)? (as opposed
to being generic)
If 'Yes' to question 2:
3. Are there indications that the threat priorities have been based on
4. Are there indications that the risk mitigation actions proposed are
based on evidence?
5. Are there indications that the advice has been tested with
Password ManagersThere are plenty of reviews of password managers. These all seem to focus on technical aspects, with little or no understanding of usability. On the basis of limited personal experience, I suggest the following criteria for password manager usability:
1. The supplier website sets out what use cases it meets, and how, and what use cases it does not support.
2. The manager has a link to haveibeenpwned.com API.
3. The manager generates user-friendly passphrases like this.
4. The manager works without the cloud.
5. The manager helps the user cope with the vagaries of various websites e.g. no paste allowed.
6. The manager is compatible with producing paper storage system.
Use CasesA collection of not-very-thought-through use cases is below for illustrative (rather than design)purposes:
A US Secretary of State who steps out of the SCIF to use her personal
A bitcoin miner whose mobile phone account is hijacked to exploit SMS
A Cambridge Professor of Security Engineering who refuses to use
online banking with good
- A journalist talking to dissidents in a dangerous country.
- Grandma logging into Facebook while staying with her daughter.
- Grandma wanting to put her online affairs in order for her estate.
- A student wanting to prevent his flatmates using his pr0n account when he is out.
- A businessman going to the toilet while doing online business with the free wi-fi in a coffee shop.
- A Civil Servant wanting to do home banking while at the office.
- An agency ICU nurse called in at short notice needing to look up patient records.
- A homeless person using a mobile phone to claim benefits and pay bills.
- Someone on a list entering the USA and being asked to provide their passwords.
Important update from Rachel Tobac: "A useful thing about using a password manager that I don’t always see folks talk about is that my pw manager won’t enter my username and password on malicious lookalike sites. Not the real airline website? Looks real but it’s actually a malicious URL? No credentials entered". So - does the pw manager do this?