Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
„The four most-used passwords
are love, sex, secret, and God“:
password security and training
in different user groups
Kai...
This thing's got a beard
● The first widespread notion about password
security (or lack thereof) – The Stockings
Were Hung...
The Infamous Dumbuser
(a.k.a. Ordinary Joe/Jane)
● A typical scenario:
– Jane/Joe has to choose a password, picks
somethin...
The obligatory piece of
geekiness
http://imgs.xkcd.com/comics/authorization.png
Mitnick says
● Security =
– Policies
– People
– Processes
– Technology
● In password security, technology is often
the lea...
The study
● Stage I: password usage in Estonian
schools among different user groups
– Students (high school, vocational sc...
...
● Stage II – e-safety training with different
groups, based on the Stage I results
– Password models
– Strength testin...
Some results
● Stage I revealed the overall lack of
security awareness – and especially
among 'those who should know bette...
Examples
● Most respondents only use 4 or less
different passwords (incl 54% of the ICT
specialists)
● More than a half of...
...
● Apparent lack of creativity – both in
password and 'secret question' choices
● Password sharing among friends/family...
A parable of two tools...
● Cugnot's fardier à
vapeur, 1771
● Speed 2.25 mph
● Bugatti Veyron,
2010
● Speed 250 mph
Note: ...
… and SHTFs
● 1771 ● 2010
● What did break and what did survive?
e-stonia
● Among top countries in Internet freedom
● E-banking (used by ~70% of the population)
● E-declaration of income ...
Main things to do
● Quote Mitnick: technology is the least one
– Promote the least bad choice for passwords
– long passphr...
No fool like an old fool
● Start young!
● Caution – the concept of secrecy can be
hard to grasp for young children (and ca...
Instead of conclusion
http://imgs.xkcd.com/comics/security.png
Thank you
These slides @ Slideshare
(CC BY-SA):
http://slideshare.net/UncleOwl
The (upcoming) Digital Safety
Lab @ Tallinn...
Upcoming SlideShare
Loading in …5
×

„The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups

1,424 views

Published on

A presentation at the HCII 2013 conference in Las Vegas, July 25, 2013 (co-authored with Birgy Lorenz and Aare Klooster).

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

„The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups

  1. 1. „The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups Kaido Kikkas Birgy Lorenz Aare Klooster Estonian IT College Tallinn University Tallinn University & Tallinn University c Kaido Kikkas 2013. This document is distributed under the Creative Commons Attribution-ShareAlike 3.0 Estonia license.
  2. 2. This thing's got a beard ● The first widespread notion about password security (or lack thereof) – The Stockings Were Hung by the Chimney with Care by Bob Metcalfe from 1973 (RFC602) ● An even earlier case described by Richard M. Stallman from the MIT AI Lab in the 60s ● The quote with four common passwords comes from the movie Hackers from 1990 (yes, the one with geeky Angelina Jolie)
  3. 3. The Infamous Dumbuser (a.k.a. Ordinary Joe/Jane) ● A typical scenario: – Jane/Joe has to choose a password, picks something easy and obvious – Bad Guys guess it, resulting in SHTF – Jane/Joe gets a good thrashing from a local BOFH, followed by a long and grumpy lecture about password security – Jane/Joe gets a secure password – alas, it is impossible to remember and needs to be written down (to some obvious place) – Bad Guys intercept it with even more SHTF
  4. 4. The obligatory piece of geekiness http://imgs.xkcd.com/comics/authorization.png
  5. 5. Mitnick says ● Security = – Policies – People – Processes – Technology ● In password security, technology is often the least important
  6. 6. The study ● Stage I: password usage in Estonian schools among different user groups – Students (high school, vocational school, university) – Teachers/trainers – ICT specialists at schools – A large comparison group of 'average users' (convenience sample based on personal contacts)
  7. 7. ... ● Stage II – e-safety training with different groups, based on the Stage I results – Password models – Strength testing – Safe storage options – General tips on e-safety ● This stage is still ongoing
  8. 8. Some results ● Stage I revealed the overall lack of security awareness – and especially among 'those who should know better' ● The behavioral patterns in different user groups were more similar than predicted
  9. 9. Examples ● Most respondents only use 4 or less different passwords (incl 54% of the ICT specialists) ● More than a half of the respondents use short passwords with 9 or less characters ● The only remarkable redeeming quality among ICT specialists was including special characters in passwords ● Teachers actually ranked below students
  10. 10. ... ● Apparent lack of creativity – both in password and 'secret question' choices ● Password sharing among friends/family is widespread ● Overall awareness of computer security varies with some worrisome findings (e.g. 26% of the ICT specialists did not update their systems)
  11. 11. A parable of two tools... ● Cugnot's fardier à vapeur, 1771 ● Speed 2.25 mph ● Bugatti Veyron, 2010 ● Speed 250 mph Note: the pictures on this and next slide come from Wikimedia Commons
  12. 12. … and SHTFs ● 1771 ● 2010 ● What did break and what did survive?
  13. 13. e-stonia ● Among top countries in Internet freedom ● E-banking (used by ~70% of the population) ● E-declaration of income (~70%) ● E-voting (Riigikogu 2011 – 24.3%) ● National ID-card infrastructure with large and growing online application base ... ● BUGATTI VEYRON....??
  14. 14. Main things to do ● Quote Mitnick: technology is the least one – Promote the least bad choice for passwords – long passphrases that ● are in native language (if other than English; also applies to usernames) ● make sense as words, not as phrase (e.g. “TheViolinDoesNotComputeMacaroni”) ● contain some 1337 and punctuation – Train good password storage practices – Password security is just a part of the whole ● Lack of knowledge is curable, stupidity is not
  15. 15. No fool like an old fool ● Start young! ● Caution – the concept of secrecy can be hard to grasp for young children (and can contradict some other principles) ● Curiosity can be dangerous but is vital – especially when dealing with adolescents ● Overconfidence kills - “experienced users” are notably hard to (re)train – but “putting the nose into it” can help
  16. 16. Instead of conclusion http://imgs.xkcd.com/comics/security.png
  17. 17. Thank you These slides @ Slideshare (CC BY-SA): http://slideshare.net/UncleOwl The (upcoming) Digital Safety Lab @ Tallinn University: http://www.tlu.ee/dsl Contact: {first.last}@tlu.ee The research was supported by the European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa (governed by the Archimedes Foundation) and by the Estonian Information Technology Foundation http://www.spreadshirt.net

×