„The four most-used passwords
are love, sex, secret, and God“:
password security and training
in different user groups
Kai...
This thing's got a beard
● The first widespread notion about password
security (or lack thereof) – The Stockings
Were Hung...
The Infamous Dumbuser
(a.k.a. Ordinary Joe/Jane)
● A typical scenario:
– Jane/Joe has to choose a password, picks
somethin...
The obligatory piece of
geekiness
http://imgs.xkcd.com/comics/authorization.png
Mitnick says
● Security =
– Policies
– People
– Processes
– Technology
● In password security, technology is often
the lea...
The study
● Stage I: password usage in Estonian
schools among different user groups
– Students (high school, vocational sc...
...
● Stage II – e-safety training with different
groups, based on the Stage I results
– Password models
– Strength testin...
Some results
● Stage I revealed the overall lack of
security awareness – and especially
among 'those who should know bette...
Examples
● Most respondents only use 4 or less
different passwords (incl 54% of the ICT
specialists)
● More than a half of...
...
● Apparent lack of creativity – both in
password and 'secret question' choices
● Password sharing among friends/family...
A parable of two tools...
● Cugnot's fardier à
vapeur, 1771
● Speed 2.25 mph
● Bugatti Veyron,
2010
● Speed 250 mph
Note: ...
… and SHTFs
● 1771 ● 2010
● What did break and what did survive?
e-stonia
● Among top countries in Internet freedom
● E-banking (used by ~70% of the population)
● E-declaration of income ...
Main things to do
● Quote Mitnick: technology is the least one
– Promote the least bad choice for passwords
– long passphr...
No fool like an old fool
● Start young!
● Caution – the concept of secrecy can be
hard to grasp for young children (and ca...
Instead of conclusion
http://imgs.xkcd.com/comics/security.png
Thank you
These slides @ Slideshare
(CC BY-SA):
http://slideshare.net/UncleOwl
The (upcoming) Digital Safety
Lab @ Tallinn...
Upcoming SlideShare
Loading in …5
×

„The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups

0 views
858 views

Published on

A presentation at the HCII 2013 conference in Las Vegas, July 25, 2013 (co-authored with Birgy Lorenz and Aare Klooster).

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
0
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

„The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups

  1. 1. „The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups Kaido Kikkas Birgy Lorenz Aare Klooster Estonian IT College Tallinn University Tallinn University & Tallinn University c Kaido Kikkas 2013. This document is distributed under the Creative Commons Attribution-ShareAlike 3.0 Estonia license.
  2. 2. This thing's got a beard ● The first widespread notion about password security (or lack thereof) – The Stockings Were Hung by the Chimney with Care by Bob Metcalfe from 1973 (RFC602) ● An even earlier case described by Richard M. Stallman from the MIT AI Lab in the 60s ● The quote with four common passwords comes from the movie Hackers from 1990 (yes, the one with geeky Angelina Jolie)
  3. 3. The Infamous Dumbuser (a.k.a. Ordinary Joe/Jane) ● A typical scenario: – Jane/Joe has to choose a password, picks something easy and obvious – Bad Guys guess it, resulting in SHTF – Jane/Joe gets a good thrashing from a local BOFH, followed by a long and grumpy lecture about password security – Jane/Joe gets a secure password – alas, it is impossible to remember and needs to be written down (to some obvious place) – Bad Guys intercept it with even more SHTF
  4. 4. The obligatory piece of geekiness http://imgs.xkcd.com/comics/authorization.png
  5. 5. Mitnick says ● Security = – Policies – People – Processes – Technology ● In password security, technology is often the least important
  6. 6. The study ● Stage I: password usage in Estonian schools among different user groups – Students (high school, vocational school, university) – Teachers/trainers – ICT specialists at schools – A large comparison group of 'average users' (convenience sample based on personal contacts)
  7. 7. ... ● Stage II – e-safety training with different groups, based on the Stage I results – Password models – Strength testing – Safe storage options – General tips on e-safety ● This stage is still ongoing
  8. 8. Some results ● Stage I revealed the overall lack of security awareness – and especially among 'those who should know better' ● The behavioral patterns in different user groups were more similar than predicted
  9. 9. Examples ● Most respondents only use 4 or less different passwords (incl 54% of the ICT specialists) ● More than a half of the respondents use short passwords with 9 or less characters ● The only remarkable redeeming quality among ICT specialists was including special characters in passwords ● Teachers actually ranked below students
  10. 10. ... ● Apparent lack of creativity – both in password and 'secret question' choices ● Password sharing among friends/family is widespread ● Overall awareness of computer security varies with some worrisome findings (e.g. 26% of the ICT specialists did not update their systems)
  11. 11. A parable of two tools... ● Cugnot's fardier à vapeur, 1771 ● Speed 2.25 mph ● Bugatti Veyron, 2010 ● Speed 250 mph Note: the pictures on this and next slide come from Wikimedia Commons
  12. 12. … and SHTFs ● 1771 ● 2010 ● What did break and what did survive?
  13. 13. e-stonia ● Among top countries in Internet freedom ● E-banking (used by ~70% of the population) ● E-declaration of income (~70%) ● E-voting (Riigikogu 2011 – 24.3%) ● National ID-card infrastructure with large and growing online application base ... ● BUGATTI VEYRON....??
  14. 14. Main things to do ● Quote Mitnick: technology is the least one – Promote the least bad choice for passwords – long passphrases that ● are in native language (if other than English; also applies to usernames) ● make sense as words, not as phrase (e.g. “TheViolinDoesNotComputeMacaroni”) ● contain some 1337 and punctuation – Train good password storage practices – Password security is just a part of the whole ● Lack of knowledge is curable, stupidity is not
  15. 15. No fool like an old fool ● Start young! ● Caution – the concept of secrecy can be hard to grasp for young children (and can contradict some other principles) ● Curiosity can be dangerous but is vital – especially when dealing with adolescents ● Overconfidence kills - “experienced users” are notably hard to (re)train – but “putting the nose into it” can help
  16. 16. Instead of conclusion http://imgs.xkcd.com/comics/security.png
  17. 17. Thank you These slides @ Slideshare (CC BY-SA): http://slideshare.net/UncleOwl The (upcoming) Digital Safety Lab @ Tallinn University: http://www.tlu.ee/dsl Contact: {first.last}@tlu.ee The research was supported by the European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa (governed by the Archimedes Foundation) and by the Estonian Information Technology Foundation http://www.spreadshirt.net

×