Forcing Johnny to login safely

Amir Herzberg, Ronen Margulies

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


We present the results of the first long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70% detection rates, which is significantly better than the results received by the typical login ceremony and with passive defense indicators [in: CHI'06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM, New York, 2006, pp. 601-610; Computers & Security 28(1,2) (2009), 63-71; in: SP'07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, IEEE Computer Society, Washington, 2007, pp. 51-65]. We also found that combining login bookmarks with interactive images and 'non-working' buttons/links achieved the best detection rates (82%) and overall resistance rates (93%). We also present WAPP (Web Application Phishing-Protection), an effective server-side solution which combines the login bookmark and the interactive custom image indicators. WAPP provides two-factor and two-sided authentication.

Original languageEnglish
Pages (from-to)393-424
Number of pages32
JournalJournal of Computer Security
Issue number3
StatePublished - 2013


  • Phishing
  • forcing functions
  • human factors
  • long-term user study
  • training


Dive into the research topics of 'Forcing Johnny to login safely'. Together they form a unique fingerprint.

Cite this