Chapter Thirty Two. Users Are Not the Enemy

Previous page
Table of content
Next page

Why Users Compromise Security Mechanisms and How to Take Remedial Measures, by Anne Adams and M. Angela Sasse

CONFIDENTIALITY IS AN IMPORTANT ASPECT OF COMPUTER SECURITY. It depends on authentication mechanisms, such as passwords, to safeguard access to information. Traditionally, authentication procedures are divided into two stages:[1], [2]

[1] A. Adams and M. A. Sasse, "Users Are Not the Enemy," Communications of the ACM 42:12 (Dec. 1999). © 1999 Association for Computing Machinery, Inc. Reprinted by permission.

[2] D. B. Parker, "Restating the Foundation of Information Security," in G. C. Gable and W. J. Caelli (eds.), IT Security: The Need for International Co-operation (Holland: Elsevier Science Publishers, 1992).

  • Identification (user ID), to identify the user

  • Authentication, to verify that the user is the legitimate owner of the ID

It is the latter stage that requires a secret password. To date, research on password security has focused on designing technical mechanisms to protect access to systems; the usability of these mechanisms has rarely been investigated. Hitchings[3] and Davis and Price[4] argue that this narrow perspective has produced security mechanisms that are, in practice, less effective than they are generally assumed to be. Because security mechanisms are designed, implemented, applied, and breached by people, human factors should be considered in their design. It seems that, currently, hackers pay more attention to the human link in the security chain than security designers do, for example, by using social engineering techniques to obtain passwords.

[3] J. Hitchings, "Deficiencies of the Traditional Approach to Information Security and the Requirements for a New Methodology," Computers and Security 14 (1995), 377383.

[4] D. Davis and W. Price, Security for Computer Networks (Chichester, U.K.: Wiley, 1987).

The key element in password security is the crackability of a password combination. Davies and Ganesan[5] argue that an adversary's ability to crack passwords is greater than usually believed. System-generated passwords are essentially the optimal security approach; however, user-generated passwords are potentially more memorable and thus are less likely to be disclosed (because users do not have to write them down). The U.S. Federal Information Processing Standards[6] (FIPS) suggest several criteria for assuring different levels of password security. Password composition, for example, relates the size of a character set from which a password has been chosen to its level of security. An alphanumeric password is therefore more secure than one composed of letters alone. Short password lifetimechanging passwords frequentlyis suggested as reducing the risk associated with undetected compromised passwords. Finally, password ownership, in particular individual ownership, is recommended to:

[5] C. Davis and R. Ganesan, "BApasswd: A New Proactive Password Checker," Proceedings of the National Computer Security Conference '93 (1993), 115.

[6] FIPS 112, Password Usage, Federal Information Processing Standards Publication (May 30, 1985).

  • Increase individual accountability

  • Reduce illicit usage

  • Allow for an establishment of system usage audit trails

  • Reduce frequent password changes due to group membership fluctuations

There is evidence that many password users do not comply with these suggested rules. DeAlvare[7] found that once a password is chosen, a user is unlikely to change it until it has been shown to be compromised. Users were also found to construct passwords that contained as few characters as possible.[8] These observations cannot be disputed, but the conclusion that this behavior occurs because users are inherently carelessand therefore insecureneeds to be challenged.

[7] A. M. DeAlvare, "A Framework for Password Selection," Proceedings of Unix Security Workshop II (Portland, Aug. 29-30, 1998).

[8] A. M. DeAlvare, "How Crackers Crack Passwords or What Passwords to Avoid," Proceedings of Unix Security Workshop II (Portland, 1990).


Previous page
Table of content
Next page
Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295
Authors: Lorrie Faith Cranor, Simson Garfinkel
BUY ON AMAZON
Data Structures and Algorithms in Java
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Understanding Digital Signal Processing (2nd Edition)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy