05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006
Usable Privacy and Security I
Koranda Carnegie Mellon University 2
Chapter 1: Psychological Acceptability Revisited Chapter 2: The Case for Usable Security Chapter 3: Design for Usability Chapter 32: Users are not the Enemy
Usable Privacy and Security I
Koranda Carnegie Mellon University 3
Usable Security
The user side… A secure system has to be complicated and complex; thus, difficult
to use
The Need to Know Principle The more that is known about security the easier it is to attack
Users know little about security
Lack of knowledge makes it less secure
Humans are the weakest link in the security chain Hackers pay attention to human element in security to exploit it
Koranda Carnegie Mellon University 4
Usable Security
Why are security products ineffective? Users do not understand the importance of data, software, and
systems
Users do not see that assets are at risk
Users do not understand that their behavior is at risk
Koranda Carnegie Mellon University 5
Usable Security
Why are security products ineffective? Users do not understand the importance of data, software, and
systems
Users do not see that assets are at risk
Users do not understand that their behavior is at risk
Koranda Carnegie Mellon University 6
Approach #1
Educate the user
Today’s educational topic: passwords
Koranda Carnegie Mellon University 8
Suggestions for Creating Passwords
Interject random characters within a word confine = cOn&fiNe
Deliberately misspell a word helium = healeum
Make an acronym I’ve fallen, and I can’t get up = If,alcgu
Use numbers and sounds of letters to make words I am the one for you = imd14u
Combine letters from multiple words Laser and implosion = liamspel
https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html
Koranda Carnegie Mellon University 11
How Long does it take to Crack a Password?
Brute force attack
Assuming 100,000 encryption operations per second
FIPS Password Usage 3.3.1 Passwords shall have maximum lifetime of 1 year
http://geodsoft.com/howto/password/cracking_passwords.htm#howlong
26 Characters 36 Characters 52 Characters 68 Characters 94 Characters
lower case letters and digits mixed case letterssingle case letters with digits,
symbols and punctuationall displayable ASCII characters
including mixed case letters
3 0.18 seconds 0.47 seconds 1.41 seconds 3.14 seconds 8.3 seconds4 4.57 seconds 16.8 seconds 1.22 minutes 3.56 minutes 13.0 minutes5 1.98 minutes 10.1 minutes 1.06 hours 4.04 hours 20.4 hours6 51.5 minutes 6.05 hours 13.7 days 2.26 months 2.63 months7 22.3 hours 9.07 days 3.91 months 2.13 years 20.6 years8 24.2 days 10.7 months 17.0 years 1.45 centuries 1.93 millennia9 1.72 years 32.2 years 8.82 centuries 9.86 millennia 182 millennia
10 44.8 years 1.16 millennia 45.8 millennia 670 millennia 17,079 millennia11 11.6 centuries 41.7 millennia 2,384 millennia 45,582 millennia 1,605,461 millennia12 30.3 millennia 1,503 millennia 123,946 millennia 3,099,562 millennia 150,913,342 millennia
Pa
ssw
ord
L
en
gth
Koranda Carnegie Mellon University 12
Education Results
Educating users does not automatically mean they will change their behavior
Why? users do not believe they are at risk
users do not think they will be accountable for not following security regulations
security mechanisms can conflict with social norms
security behavior conflicts with self-image
Koranda Carnegie Mellon University 13
Motivation
Users are motivated if care about what is being protected
-and-
Users understand how their behavior can put assets at risk
Koranda Carnegie Mellon University 14
Motivation
How can motivation be accomplished? Security should not be a ‘firefighting’ response
Organizations must become active in security
Approach #2 – Design a Usable System
Koranda Carnegie Mellon University 15
Design a Usable System
User centered design is critical in system security
Password mechanisms should be compatible with work practices
Change regime and spiraling effect: I cannot remember my password. I have to write it down. Everyone knows it’s
on a Post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know
Passwords that are memorable are not secure
Koranda Carnegie Mellon University 16
How to Design a Usable & Secure System?
Current problem Lack of communication between users and security departments
Solution Product: actual security mechanisms
Process: how decisions are made
Panorama: the context of security
Koranda Carnegie Mellon University 17
Product
Password Considerations Meaning increases memorability
Are often less secure
How do you make a password easy to remember but hard to guess?
Passwords that change over time Can decrease memorability
Can increase security?
System generated passwords Can be more inherently secure
Are less memorable
Passwords are often used infrequently How can they be remembered?
Koranda Carnegie Mellon University 18
Process
Security tasks must be designed to support production tasks AEGIS process
gathering participants
identifying assets
modeling assets in context of operation
security requirements on assets
risk analysis
designing security of the system
Benefits of involving stakeholders increased awareness of security
security aspects become much more accessible and personal
provide a simple model through security properties of the system
Koranda Carnegie Mellon University 19
Panorama
Security tasks must take into account the environment
Education Teaching concepts and skills
Training Change behavior through drills, monitoring, feedback, reinforcement
Focus should be on correct usage of security mechanisms
Should encompass all staff, not only those with immediate access to systems deemed at risk
Attitudes Role models
Koranda Carnegie Mellon University 20
Activity
Groups will explore how to solve a problem related to passwords with a given scenario
The goal is to make suggestions for a secure system that users will comply with
Simply saying ‘educate and train users’ is not enough to make a convincing argument
Weigh the pros and cons of decisions you make
Refer to the design checklist (p42)
Koranda Carnegie Mellon University 21
Summary
Users need to be informed about security issues
Majority of users are security conscious if they see the need for the behavior
The key to all security efforts is a balance between security and usability
Koranda Carnegie Mellon University 22
Bibliography
Security and Usability Chapter 1: Psychological Acceptability Revisited Chapter 2: The Case for Usable Security Chapter 3: Design for Usability Chapter 32: Users are not the Enemy
http://www.smat.us/sanity/riskyrules.html
http://www.dss.mil/search-dir/training/csg/security/S2unclas/Need.htm
http://www.itl.nist.gov/fipspubs/fip112.htm
http://www.securitystats.com/tools/password.php
https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html
http://geodsoft.com/howto/password/cracking_passwords.htm#howlong