user behaviors and attitudes under · 2019-12-18 · user behaviors and attitudes under password...
TRANSCRIPT
![Page 1: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/1.jpg)
User Behaviors and Attitudes Under Password Expiration Policies
Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor
![Page 2: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/2.jpg)
Let’s talk about password expiration policies
2
Sources: https://www.portalguard.com/blog/2016/05/04/password-expiration-policy-best-practices/ https://www.top-password.com/blog/tag/disable-windows-password-expiration/ https://makeameme.org/meme/finally-learned-to
![Page 3: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/3.jpg)
Do expiration policies help improve security?
3
● No evidence that expiration protects from modern password guessing attacks
● Attackers can use password history to launch better attacks (Zhang et al. CCS’10)
Sources: http://www.designerhipster.com/Cartoons/Business
![Page 4: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/4.jpg)
1. What happens when people are
FORCED to change their passwords?
Do users make weaker passwords?
Do they have negative sentiments toward their
policies?
4
How important do they view password expiration?
Do they have a harder time using their passwords?
![Page 5: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/5.jpg)
5
2. How does human behavior impact the effectiveness of password
expiration policies?
![Page 6: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/6.jpg)
Conducted 2 Mechanical Turk surveys
● “Workplace passwords survey” and “password perceptions survey”
● Total of 695 participants
● Age 18 or older
● Residents of the United States
● 55% had an expiration policy for their main workplace password
6
![Page 7: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/7.jpg)
Workplace passwords survey
● Screening○ Ensure at least one workplace password
● Full survey○ 31 multiple choice questions○ 5 open-ended response questions
● Password management experiences ○ Creating, updating, and recalling passwords
● Sentiments toward password expiration7
![Page 8: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/8.jpg)
How do people CREATE passwords?
8
Use a word in English 41%
Use a name 37%
Add numbers to beginning or end 59%
Add symbols to beginning or end 32%
Worplace passwords
![Page 9: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/9.jpg)
How do people UPDATE passwords?
9
Modified their current password 67%
Created a new password 24%
Reused a password from another account 10%
Worplace passwords
![Page 10: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/10.jpg)
Techniques to update passwords
10
Worplace passwords
Capitalizing a character soups# → soupS# 30%
Incrementing a character soupsalad#1 → soupsalad#2 17%
Adding a sequence alphabetsoupa → alphabetsoupabc 15%
Adding a date noodlesoup → noodlesoup2018 12%
Substituting digits/special characters Hot!soup1 → hot!soup9 12%
![Page 11: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/11.jpg)
Coping with password expiration policies
11
● Use the same strategy they used to create their passwords (64%)○ Password generator (7%)○ Substituting letters and symbols
● New fast food receipt ○ looking37Pickles1402
Source: https://www.thehollywoodgossip.com/2012/08/best-butt-discount-woman-receives-surprising-credit-on-fast-food/
Worplace passwords
● Updated password was believed to be about the same strength as previous (66%)
![Page 12: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/12.jpg)
Password perceptions survey
12
● Rate importance of management behaviors for account security
● Rank the harm of not following each practice
● Choose which practice contributes most to account security when shown pairs
● Anticipate behaviors in a hypothetical scenario where their workplace: ○ Implemented expiration policy○ Removed expiration policy
Management behaviors
1. Using a complex password
2. Storing a password safely
3. Avoiding reuse
4. Changing passwords periodically
![Page 13: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/13.jpg)
Expiration is important… but not as important as others
13
Use a complex password
Store your password in a safe place
Create a password you do not already use
Change your password periodically
0% 100%25 50 75% Who Agreed the Practice was Important
Password expiration
![Page 14: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/14.jpg)
“It takes time to hack or steal a passwordand if it is changed frequently it is less likely that the hacker will have time to obtain the password.”
14
“There will be less time for a hacker to retrieve your information.”
![Page 15: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/15.jpg)
Downsides of expiration
● Inconvenient
● Insecure
● Unusable
● Ineffective
15
![Page 16: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/16.jpg)
“I don’t think [periodic password change] is as important as people say...A really strong password doesn’t just
automatically become weaker simply because you’ve been using it for a while.”
16
“I don’t believe it’s necessarily important to change your password, if you have a secure one in the first place”
![Page 17: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/17.jpg)
Expiration frequency had minor impact on usage
17
● No reported influence on:○ Update strategies○ Account lockouts○ Similarity with other
passwords○ Sentiments about expiration
Source: https://www.kaspersky.com/blog/remember-strong-passwords/6386/
● Slight influence on:○ Password memorization
![Page 18: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/18.jpg)
People accept the advice they’re told
● About 50% would continue changing their password if their expiration policy was removed
18
● Reported reasons:○ Habit○ Beneficial to security
![Page 19: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/19.jpg)
“It’s the standard we use and it works well.”
19
“It’s just a natural habit to do now for my own security.”
![Page 20: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/20.jpg)
“I would forget as it is not on my high priority list.”
20
![Page 21: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/21.jpg)
Expiration does not lead to weaker passwords or extremely negative reactions...
21
...people have developed coping mechanisms which may not benefit account security as much as
one would like
BUT
![Page 22: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/22.jpg)
Main recommendation
22
● Enable users to create and manage complex passwords● Sufficiently random
○ Password managers○ Password generators
Source: https://support.managed.com/kb/a2245/best-practice-strong-password-policy.aspx
![Page 23: User Behaviors and Attitudes Under · 2019-12-18 · User Behaviors and Attitudes Under Password Expiration Policies Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates,](https://reader033.vdocuments.net/reader033/viewer/2022060409/5f103a977e708231d44813b2/html5/thumbnails/23.jpg)
For more on this: cups.cs.cmu.edu/passwords/
23
User Behaviors and Attitudes Under Password Expiration Policies
Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor