usable security
TRANSCRIPT
USABLE SECURITY
WHAT’S ON THE AGENDA?
▸ Why do people do what they do?
▸ Passwords
▸ HTTPS errors
▸ SSL Interstitials
▸ Phishing
▸ Takeways
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
….
WE USE PASSWORDS THAT ARE HARD FOR HUMANS TO REMEMBER, BUT EASY FOR COMPUTERS TO GUESS
XKCD
WWW.XKCD.COM/936
FROM SPLASH DATA’S WORST PASSWORDS OF 2015
ATTACKERS ENUMERATE USERNAMES WITH COMMON PASSWORDS
▸ 123456
▸ password
▸ 12345
▸ 12345678
▸ qwerty
▸ 123456789
▸ 1234
▸ baseball
▸ dragon
▸ football
USERS DO NOT GENERALLY PERCEIVE THE ABSENCE OF A WARNING SIGN.
Chrome Security Team
MARKING HTTP AS NON-SECURE
USABLE SECURITY
RESOURCES
▸ Transforming the ‘weakest link’ – a human/computer interaction approach to usable and effective security (M A Sasse, S Brushoff, D Weirich)
▸ Learning from “Shadow Security” (Iacovos Kirlappos, Simon Parkin, M. Angela Sasse)
▸ Users are not the enemy (Anne Adams, Martina Angela Sasse)
▸ Experimenting at scale with Google Chrome’s SSL Warning (Adrienne Porter Felt, Hazim Almuhimedi, Sunny Consolvo)
▸ Improving SSL Warnings: Comprehension & Adherence (Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, Jeff Grimes)
▸ The Emperor’s New Security Indicators (Stuart E. Schechter, Rachna Dhamija, Andy Ozment, Ian Fischer)