Number of co-authors:14
Number of publications with 3 favourite co-authors:Lorrie Faith Cranor:4Lujo Bauer:3Michelle L. Mazurek:3
Saranga Komanduri's 3 most productive colleagues in number of publications:Lorrie Faith Crano..:44Yang Wang:14Serge Egelman:13
A general principle for all user interface design is to go through all of your design elements and remove them one at a time. If the design works as well without a certain design element, kill it.
-- Jakob Nielsen, Designing Web Usability, p. 22.
Marc Hassenzahl explains the fascinating concept of User Experience and Experience Design. Commentaries by Don Norman, Eric Reiss, Mark Blythe, and Whitney Hess
User Experience and Experience Design !
Our Latest Books
Kumar and Herger 2013: Gamification at Work: Designing Engaging Business Software...
by Janaki Mythily Kumar and Mario Herger
Whitworth and Ahmad 2013: The Social Design of Technical Systems: Building technologies for communities...
by Brian Whitworth and Adnan Ahmad
Soegaard and Dam 2013: The Encyclopedia of Human-Computer Interaction, 2nd Ed....
by Mads Soegaard and Rikke Friis Dam
Publications by Saranga Komanduri (bibliography)
Shay, Richard, Kelley, Patrick Gage, Komanduri, Saranga, Mazurek, Michelle L., Ur, Blase, Vidas, Timothy, Bauer, Lujo, Christin, Nicolas and Cranor, Lorrie Faith (2012): Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the 2012 Symposium on Usable Privacy and Security 2012. p. 7.
Users tend to create passwords that are easy to guess, while system-assigned passwords tend to be hard to remember. Passphrases, space-delimited sets of natural language words, have been suggested as both secure and usable for decades. In a 1,476-participant online study, we explored the usability of 3- and 4-word system-assigned passphrases in comparison to system-assigned passwords composed of 5 to 6 random characters, and 8-character system-assigned pronounceable passwords. Contrary to expectations, system-assigned passphrases performed similarly to system-assigned passwords of similar entropy across the usability metrics we examined. Passphrases and passwords were forgotten at similar rates, led to similar levels of user difficulty and annoyance, and were both written down by a majority of participants. However, passphrases took significantly longer for participants to enter, and appear to require error-correction to counteract entry mistakes. Passphrase usability did not seem to increase when we shrunk the dictionary from which words were chosen, reduced the number of words in a passphrase, or allowed users to change the order of words.
© All rights reserved Shay et al. and/or their publisher
Komanduri, Saranga, Shay, Richard, Kelley, Patrick Gage, Mazurek, Michelle L., Bauer, Lujo, Christin, Nicolas, Cranor, Lorrie Faith and Egelman, Serge (2011): Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of ACM CHI 2011 Conference on Human Factors in Computing Systems 2011. pp. 2595-2604.
Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies. We characterize the predictability of passwords by calculating their entropy, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.
© All rights reserved Komanduri et al. and/or their publisher
Wang, Yang, Norcie, Gregory, Komanduri, Saranga, Acquisti, Alessandro, Leon, Pedro Giovanni and Cranor, Lorrie Faith (2011): "I regretted the minute I pressed share": a qualitative study of regrets on Facebook. In: Proceedings of the 2011 Symposium on Usable Privacy and Security 2011. p. 10.
We investigate regrets associated with users' posts on a popular social networking site. Our findings are based on a series of interviews, user diaries, and online surveys involving 569 American Facebook users. Their regrets revolved around sensitive topics, content with strong sentiment, lies, and secrets. Our research reveals several possible causes of why users make posts that they later regret: (1) they want to be perceived in favorable ways, (2) they do not think about their reason for posting or the consequences of their posts, (3) they misjudge the culture and norms within their social circles, (4) they are in a "hot" state of high emotion when posting, or under the influence of drugs or alcohol, (5) their postings are seen by an unintended audience, (6) they do not foresee how their posts could be perceived by people within their intended audience, and (7) they misunderstand or misuse the Facebook platform. Some reported incidents had serious repercussions, such as breaking up relationships or job losses. We discuss methodological considerations in studying negative experiences associated with social networking posts, as well as ways of helping users of social networking sites avoid such regrets.
© All rights reserved Wang et al. and/or ACM Press
Shay, Richard, Komanduri, Saranga, Kelley, Patrick Gage, Leon, Pedro Giovanni, Mazurek, Michelle L., Bauer, Lujo, Christin, Nicolas and Cranor, Lorrie Faith (2010): Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the 2010 Symposium on Usable Privacy and Security 2010. p. 2.
Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required users to change their passwords. Through our survey of 470 CMU computer users, we collected data about behaviors and practices related to the use and creation of passwords. We also captured users' opinions about the new, stronger policy requirements. Our analysis shows that, although most of the users were annoyed by the need to create a complex password, they believe that they are now more secure. Furthermore, we perform an entropy analysis and discuss how our findings relate to NIST recommendations for creating a password policy. We also examine how users answer specific questions related to their passwords. Our results can be helpful in designing better password policies that consider not only technical aspects of specific policy rules, but also users' behavior in response to those rules.
© All rights reserved Shay et al. and/or their publisher
Komanduri, Saranga and Hutchings, Dugald R. (2008): Order and Entropy in Picture Passwords. In: Proceedings of the 2008 Conference on Graphics Interface May 28-30, 2008, Windsor, Ontario, Canada. pp. 115-122.
Previous efforts involving picture-based passwords have not focused on maintaining a measurably high level of entropy. Since password systems usually allow user selection of passwords, their true entropy remains unknown. A 23-participant study was performed in which picture and character-based passwords of equal strength were randomly assigned. Memorability was tested with up to one week between sessions. The study found that both character and picture passwords of very high entropy were easily forgotten. However, when password inputs were analyzed to determine the source of input errors, serial ordering was found to be the main cause of failure. This supports a hypothesis stating that picture-password systems which do not require ordered input may produce memorable, high-entropy passwords. Input analysis produced another interesting result, that incorrect inputs by users are often duplicated. This reduces the number of distinct guesses users can make when authentication systems lock out users after a number of failed logins. A protocol for ignoring duplicate inputs is presented here. A shoulder-surfing resistant input method was also evaluated, with six out of 15 users performing an insecure behavior.
© All rights reserved Komanduri and Hutchings and/or their publisher
Show list on your website
Join our community and advance:
Changes to this page (author)23 Nov 2012: Modified05 Apr 2012: Modified
05 Jul 2011: Modified
02 Nov 2010: Modified
12 May 2008: Added
Page maintainer: The Editorial Team