Section 7.6. Discussion


7.6. Discussion

Our study confirms a number of widely held folk beliefs about passwords, and debunks some others:

  • Users have difficulty remembering random passwords. This belief is confirmed, both in users' subjective reports and in their actionsthe latter in a manner that has worrying parallels to common practice in the issue of bank PIN numbers.

  • Passwords based on mnemonic phrases are harder for an attacker to guess than naively selected passwords are. This belief is confirmed.


Note: Theoretically, random passwords should provide the maximum security. This result highlights the importance of studying systems as they are used in practice.
  • Random passwords are better than those based on mnemonic phrases. However, each type appeared to be just as strong as the other. So this belief is debunked.

  • Passwords based on mnemonic phrases are harder to remember than naively selected passwords are. However, each appeared to be reasonably easy to remember, with only about 2%-3% of users forgetting passwords. So this belief is debunked.

  • By educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a noncompliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms, there seems no way to make the attacker work a thousand times harder. In fact, our experimental group may be about the most compliant a system administrator can expect to get. So this belief appears to be debunked.

    NOTE

    There was a significant noncompliance rate for all groups, regardless of password policy. This suggests the following:

    • It counters the established wisdom that educating users to construct stronger passwords will result in a significant security gain.

    • In applications where one user can be harmed by another user's negligence, compliance monitoring and enforcement may be just as important as education.

    Previous work suggests that the noncompliance rate could be even higher when users are required to remember multiple passwords, which usually increases the user's cognitive overhead and decreases memorability.[79] However, the issue of multiple passwords is beyond the scope of our experimental study.

    [79] Adams and Sasse.

Our empirical study on password security and memorability is merely a first step toward a better understanding of the applied psychology aspects of computer security. Many questions remain to be answered, and we plan to continue our experiments with future cohorts of students.

In the meantime, our tentative recommendations for system administrators are as follows:

  • Users should be instructed to choose mnemonic-based passwords . These are just as memorable as naively selected passwords, while being just as hard to guess as randomly chosen ones. So, they give the best of both other options.

  • Size matters. With systems like Unix, which limit effective password lengths to eight characters, users should be told to choose passwords of exactly eight characters. With systems such as Netware, which allows 14 characters but is not case sensitive, one might encourage users to choose passwords of 10 or more characters in length; perhaps this will further encourage the use of mnemonics. (This is a topic for our future work, as is enforcement generally.)

  • Entropy per character also matters. Users should be told to choose passwords that contain numbers and special characters as well as letters. If such a lead isn't given, then most of them will choose passwords from a very small subset of the total password space.

    PASSWORD SECURITY


    Facts and Recommendations

    • Users have difficulty remembering random passwords.

    • Instruct users to choose mnemonic-based passwords, as these are as memorable as naively selected passwords while being as hard to guess as randomly chosen ones.

    • In applications where one user can be harmed by another user's negligence, screen users' password choices and reject weak ones.

    • When devising your advice to users and writing your password-screening code, pay attention to password length but also to entropy per character.


    Lessons Learned

    • Theoretical analysis does not guarantee the security of systems. It is often necessary to study systems as they are used in practice.

    • What engineers expect to work and what users actually make to work are two different things. Rigorous experimental testing of interface usability is one of the necessary ingredients for robust secure systems.


  • Compliance is the most critical issue. In systems where users can put only themselves at risk, it may be prudent to leave them to their own devices. In that case, it must be expected that about 10% will choose weak passwords despite the instruction given. In systems where one user's negligence can impact other users as well (for example, in systems where an intruder who gets a single user account can rapidly become rootthat is, illicitly get a system administrator's privilegesusing well-known and widely available techniques), consideration should be given to enforcing password quality by system mechanisms.

  • Central assignment may matter. If there is a benefit to be had from the use of centrally assigned random passwords, it appears to come from the fact of central assignment (which enforces compliance) rather than randomness (which can be achieved just with mnemonic phrases).

An interesting and important challenge is to find compliance enforcement mechanisms that work well with mnemonic password choice. We expect that proactive password checkers,[20] which verify that a password is not part of a known weak subset of the password space, may be an effective tool. But as our empirical study has shown, what engineers expect to work and what users actually make to work are two different things. In our view, rigorous experimental testing of interface usability is one of the necessary ingredients for robust secure systems.

[20] J. Yan, "A Note on Proactive Password Checking," Proceedings of the 2001 ACM New Security Paradigms Workshop (New Mexico, Sept. 2001), ACM Press.

Moreover, because the subject samples used in our experiment (all young undergraduates) were likely to be biased by age, gender, and race, it would be very interesting to look into how widespread the behaviors characteristic of our experimental groups might be in a broader environment.



Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net