Even for users of password managers, primary passwords are a common root of trust; these must be secure against offline attacks. Randomly generated passwords provide strength guarantees but are less memorable. Cognitive psychology studies have found that providing a choice aids recall, however no studies have investigated the impact of choice on password recall in isolation. To address this, we conducted a longitudinal user study (N=861 at initial follow-up) where users selected and memorized a password from a list of 1, 8, 32, or 128 random passwords. The users entered their password multiple times after selection to improve memory, and we followed up 7 and 28 days later. We found no evidence that selecting from a list improved memorability, which suggests designers and researchers should explore other avenues. Finally, we identify potential directions for new interfaces that help users generate random passwords that will be easier to use.
https://dl.acm.org/doi/10.1145/3706598.3714043
The proliferation of consumer Internet of Things (IoT) devices has raised security concerns. In response, governments have been advising consumers on security measures, but these recommendations are not guaranteed to be implementable owing to the diverse and rapidly evolving IoT landscape, risking wasted efforts and uncertainty caused by unsuccessful attempts to secure devices. Through interviews and a workshop with 14 stakeholders involved in a Dutch national public awareness campaign, we found that while stakeholders recognized the validity of these concerns, they opted to continue the campaign with minor modifications while expecting regulatory changes to resolve the observed problem. Their justifications reveal an institutional incentive structure that overlooks well-documented user realities in security and privacy HCI research. This raises important considerations for the design and delivery of such support strategies. By fostering a collaborative dialogue, we aim to contribute to the development of user-centered security practices.
https://dl.acm.org/doi/10.1145/3706598.3713719
The proliferation of “Internet of Things (IoT)” provides older adults with critical support for “health monitoring” and independent living, yet significant concerns about security and privacy persist. In this paper, we report on these issues through a two-phase user study, including a survey (N = 22) and semi-structured interviews (n = 9) with adults aged 65+. We found that while 81.82% of our participants are aware of security features like “two-factor authentication (2FA)” and encryption, 63.64% express serious concerns about unauthorized access to sensitive health data. Only 13.64% feel confident in existing protections, citing confusion over “data sharing policies” and frustration with “complex security settings” which lead to distrust and anxiety. To cope, our participants adopt various strategies, such as relying on family or professional support and limiting feature usage leading to disengagement. Thus, we recommend “adaptive security mechanisms,” simplified interfaces, and real-time transparency notifications to foster trust and ensure “privacy and security by design” in IoT health systems for older adults.
https://dl.acm.org/doi/10.1145/3706598.3714019
Password checkup services (PCS) identify compromised, reused, or weak passwords, helping users secure at-risk accounts. However, adoption rates are low. We investigated factors influencing PCS use and password change challenges via an online survey (n=238). Key adoption factors were "perceived usefulness," "ease of use," and "self efficacy." We also identified barriers to changing compromised passwords, including alert fatigue, low perceived urgency, and reliance on other security measures. We then designed interfaces mitigating these issues through clearer messaging and automation (e.g., simultaneous password changes and direct links to change pages). A user study (N=50) showed our designs significantly improved password change success rates, reaching 40% and 74% in runtime alert and PCS checkup reporting scenarios, respectively (compared to 16% and 60% with a baseline).
https://dl.acm.org/doi/10.1145/3706598.3713284
The rising threat of mobile malware has prompted security vendors to recommend antivirus software for smartphones, yet user misconceptions, regulatory requirements, and improper use undermine its effectiveness. Our mixed-method study, consisting of in-depth interviews with 23 participants and a survey of 250 participants, examines smartphone antivirus software adoption in South Korea, where mandatory installation for banking and other financial apps is common. Many users confuse antivirus software with general security tools and remain unaware of its limited scope. Adoption is significantly influenced by perceived vulnerability, response efficacy, self-efficacy, social norms, and awareness, while concerns about system performance and skepticism about necessity lead to discontinuation or non-use. Mandatory installations for financial apps in South Korea contribute to user misconceptions, negative perceptions, and a false sense of security. These findings highlight the need for targeted user education, clearer communication about mobile-specific threats, and efforts to promote informed and effective engagement with antivirus software.
https://dl.acm.org/doi/10.1145/3706598.3713452
Traditional app privacy policies are often lengthy and non-interactive, leading users to skip them and remain uninformed. To address this, we proposed PrivCAP, a technique to enhance user comprehension by presenting policies in a concise, interactive format. PrivCAP adopted a CAPTCHA-based design, requiring users to interact with clickable chunks of concise policy content, thus reducing physical and cognitive load. A formative study (N=38) demonstrated that participants valued informed consent alongside concerns over data collection and sharing, marking the first such evaluation among Chinese users. This study further found a preference for concise visualizations and interactable formats. PrivCAP, leveraging few-shot prompting on Large Language Models (LLMs), accurately translates privacy policies into clickable, chunked formats optimized for smartphone screens. In an evaluation (N=28), PrivCAP outperformed traditional policy presentations in improving user understanding, reducing cognitive load, and maintaining efficiency, with participants favoring its engaging design and reporting more informed decision-making.
https://dl.acm.org/doi/10.1145/3706598.3713928
Online advertising platforms may be able to infer privacy-sensitive information about people, such as their health conditions. This could lead to harms like exposure to predatory targeted advertising or unwanted disclosure of health conditions to employers or insurers. In this work, we experimentally evaluate whether online advertisers target people with health conditions. We collected the browsing histories of people with and without health conditions. We crawled their histories to simulate their browsing profiles and collected the ads that were served to them. Then, we compared the content of the ads between groups. We observed that the profiles of people who visited more health-related web pages received more health-related ads. 49.5% of health-related ads used deceptive advertising techniques. Our findings suggest that new privacy regulations and enforcement measures are needed to protect people's health privacy from online tracking and advertising platforms.
https://dl.acm.org/doi/10.1145/3706598.3714318