Why Users Compromise Security Mechanisms and How to Take Remedial Measures, by Anne Adams and M. Angela SasseCONFIDENTIALITY IS AN IMPORTANT ASPECT OF COMPUTER SECURITY. It depends on authentication mechanisms, such as passwords, to safeguard access to information. Traditionally, authentication procedures are divided into two stages:[1], [2]
It is the latter stage that requires a secret password. To date, research on password security has focused on designing technical mechanisms to protect access to systems; the usability of these mechanisms has rarely been investigated. Hitchings[3] and Davis and Price[4] argue that this narrow perspective has produced security mechanisms that are, in practice, less effective than they are generally assumed to be. Because security mechanisms are designed, implemented, applied, and breached by people, human factors should be considered in their design. It seems that, currently, hackers pay more attention to the human link in the security chain than security designers do, for example, by using social engineering techniques to obtain passwords.
The key element in password security is the crackability of a password combination. Davies and Ganesan[5] argue that an adversary's ability to crack passwords is greater than usually believed. System-generated passwords are essentially the optimal security approach; however, user-generated passwords are potentially more memorable and thus are less likely to be disclosed (because users do not have to write them down). The U.S. Federal Information Processing Standards[6] (FIPS) suggest several criteria for assuring different levels of password security. Password composition, for example, relates the size of a character set from which a password has been chosen to its level of security. An alphanumeric password is therefore more secure than one composed of letters alone. Short password lifetimechanging passwords frequentlyis suggested as reducing the risk associated with undetected compromised passwords. Finally, password ownership, in particular individual ownership, is recommended to:
There is evidence that many password users do not comply with these suggested rules. DeAlvare[7] found that once a password is chosen, a user is unlikely to change it until it has been shown to be compromised. Users were also found to construct passwords that contained as few characters as possible.[8] These observations cannot be disputed, but the conclusion that this behavior occurs because users are inherently carelessand therefore insecureneeds to be challenged.
|