Add Google Analytics event for manually typed LDAP passwords and auto filled passwords

[gene1wood]

We could detect if a password is being filled into the password field by typing on the keyboard by watching for onkeypress and onkeydown as mentioned in this blog.

In our case we'd be looking for the opposite of what that blog is, in that we want users to be auto completing their passwords (not memorizing and typing them in).

When we detect these two states we should fire Google Analytics events about them.

We could also emit the fact that the given user typed or didn't type their password to something (SSO dashboard? mozdef?) and with a larger sample (10 user logins) we could potentially assert that the user

• uses a password manager
• doesn't use a password manager
• uses a password manager sometimes

And create a SSO dashboard alert to tell them to use a password manager (and stop memorizing their LDAP password and typing it in by hand)

[hmitsch]

I am sure we can achieve this without involving Google Analytics.

How about renaming this ticket to a problem, instead of a solution?

Remind Mozilla IAM users to use a password manager

Is this the correct problem we are chasing? If so, we might also create a dashboard alert for all users and ask them to use a password manager. We could offer the following answers:

• I already use a password manager.
• I don't want to use a password manager.
• Please rickroll me every time I type my password manually.

Thoughts?

[gene1wood]

My interest was less in changing user behavior and more about understanding the scale of the problem. To my knowledge we don't currently have any understanding of what proportion of mozillians use password managers. If we gathered this information we'd know

• if this was a problem or not (maybe people use password managers)
• which users aren't using password managers

So ya, this is more about understanding our users and if there is a problem, not about trying to solve a problem we may or may not have.

[hmitsch]

If you are okay with a very rough picture, we could set up a very short form and post it on some of the most active Telegram channels (Mozillians, Mozilla Reps). This could give you a rough idea?

[hmitsch]

If you are okay with a very rough picture, we could set up a very short form and post it on some of the most active Telegram channels (Mozillians, Mozilla Reps). This could give you a rough idea?

[gene1wood]

we could set up a very short form and post it

My thought had been that the added Google analytics event would be a single line of JS to record an event when users type in the password field. Maybe I should just PR this to make sure.

Are you concerned that adding this would be a large development effort? I'm getting the sense that you'd don't want to add this GA event but I'm not sure why yet. Is it a privacy concern?

[hmitsch]

For the interested reader:

Gene and I had a discussion around this article: https://webmasters.stackexchange.com/questions/92237/how-can-i-tell-if-my-website-visitors-are-using-lastpass-or-other-password-manag

Not sure yet what we are going to do. :-)

[gene1wood]

After chatting with @hmitsch the concerns he raised are

• It will be a non trivial development effort
• There is a privacy concern with divining from user behavior if they're using a password manager and having that fact go through the Google Analytics system
• It's not actually achievable/it won't work

Suggested alternate ways to accomplish this would be to run a survey of users.

[gene1wood]

Though I don't necessarily agree with these I get the vibe that there isn't an appetite for this feature so I'll close this.

[jeffbryner]

There is certainly appetite, was there a technical issue we didn't think we could overcome @gene1wood ? We'd like to use this to get stats on password manager use.

[gene1wood]

@jeffbryner @hmitsch @tristanweir and I met up and chatted about this. We will move forward with this and the steps we came up with are

1. Gene contacts the privacy team to find out if the data we're hoping to gather here is subject to Do Not Track (DNT) and how DNT affects our goals
2. Gene contacts the data analytics team, poses what we're trying to do, and finds out what they recommend (e.g. if we use Google Analytics, how to structure the thing etc)
3. If these conversations come back with a path forward, Gene assembles a small proof of concept that shows it's at least possible to differentiate between a user logging in by hand vs logging in with a password manager. This may involve leveraging Hidde's experience with getting NLX to work well in password managers.
4. If the proof of concept produces useful data, then this effort will get slotted into the NLX priorities and developed.

[gene1wood]

I've emailed legal

From: Gene Wood Date: Wed, Aug 8, 2018 at 10:11 AM Subject: IAM Project seeking to gather data on Mozillians use of password managers To: "Product Legal Team (Mozilla)"

The IAM (Identity and Access Management) Project is the group that builds and maintains the single sign on capabilities for all of our Mozilla websites (for example when you login to mana, slack or gmail)

We would like to add to the login interface, code that observes how a user types in their LDAP password (whether they type it in one character at a time indicating they have it memorized and are physically typing it in or if all of the characters are entered at once indicating that either a password manager has filled them in or they've copy pasted the password in). We'd like to gather this data to understand to what degree Mozillians use password managers to help measure our efforts to increase the use of password managers to improve Mozillians' security posture.

We would like to log which users we believe are and are not using password managers. If this isn't acceptable from a privacy or legal standpoint we'd instead like to log that a user is or is not using a password manager without logging who the user is.

This would affect exclusively users with LDAP passwords who, by their nature, are either Mozilla employees or NDAd mozillians.

1. Is this the right venue to ask these questions? If not please point me in a direction if possible.
2. Can legal provide any guidance as to whether we can do this?
3. If so, what do you recommend?

-Gene

[gene1wood]

I've emailed the metrics team

From: Gene Wood Date: Wed, Aug 8, 2018 at 1:13 PM Subject: Guidance on collecting metrics on Mozillians use of password managers To: Metrics Team

https://github.com/mozilla-iam/auth0-custom-lock/issues/81

Hey metrics team,

The IAM (Identity and Access Management) Project is the group that builds and maintains the single sign on capabilities for all of our Mozilla websites (for example when you login to mana, slack or gmail)

We're (the IAM project) seeking to gather metrics on how many mozillians (specifically LDAP users) are using password managers and how many aren't.

I'm thinking of a novel method by observing the timing in our login interface (the one you use when you do a mozilla single sign on with your ldap username password) of how the password characters are typed in to differentiate between a human typing and either a copy/paste or a browser add-on filling in the password.

I've not collected metrics before (beyond embedding google analytics in a page) and was wondering if there's any guidance or suggestions the metrics team would have.

How do people engage the metrics team for this kind of thing? Do I meet with someone? Email thread like this? Some system or maybe a bug tracker?

-Gene

[gene1wood]

See #232 where I share my proof of concept code and request implementation