Users Are Not The Enemy A Adams and
- Slides: 24
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan Mc. Cune Security Reading Group February 6, 2004
Introduction • Users have too many passwords • Misunderstand different security properties • How many different logins do you use every day? • Here a few screenshots from sites I use almost every day… 2
Web. ISO 3
Root Passwords 4
Group Website Passwords 5
Student Services 6
Yahoo Mail 7
Developer Support 8
Club Activities 9
Preliminaries • Identified problems: – Insecure work practices – Low security motivation • • This paper identifies the cause Focus on passwords for authentication Analyze rationale behind security policy Results from: – Interviews with Users and Administrators – Web questionnaire • Finish with recommendations 10
The Problem • “Users … perceive many security mechanisms as laborious and unnecessary – an overhead that gets in the way of their real work. ” • “… security departments typecast users as ‘inherently insecure’: at best, they are a security risk that needs to be controlled, at worst, they are the enemy within. ” 11
The Problem • Sys. Admins perceive users as ignorant regarding security • Users often do not understand rationale behind password security – Mechanisms annoying or unnecessary – Who would guess my wife’s maiden name? • Sys. Admins think users do understand security and that they intentionally disregard it • Result: Reduced effectiveness of security mechanisms in practice, or even hostility! 12
Users Lack Security Knowledge • Need-to-know principle has negative impact on security • Users do not understand rationale behind security policy • Example: – Private data viewed as sensitive – Commercially sensitive information (customer databases, financial data, …) thought to be less sensitive • Policymakers must educate users! 13
Users & Security Policy • Users left out of policymaking process • Construct their own models of security threats – often wildly inaccurate • Positive feedback on printed document techniques: – Confidential – Not for circulation • Users will comply with a straightforward policy that they understand 14
Too Many Passwords • Users often complain about having too many passwords, therefore – They write them down – They use the same password for multiple systems (Yahoo email, corporate email, online banking) – They use related passwords (name 1, name 2, …) • A break on one is a break on many • Exacerbated by password expiration – Password lifetimes must be chosen carefully 15
Too Many Passwords • Recall last week’s presentation… • It may be easier for an attacker to spoof the Yahoo mail website than a bank’s • Even if passwords are distinct, users can become confused and enter the “other” password • I do this a lot – When I forget a password, I tend to try passwords that I use on other sites 16
Password Ownership • Associates the password used to access a system with the actions performed • Audit trail yields increased accountability for users and their actions – Reduces likelihood that users leave their passwords accessible to other employees • Enhances the sense of team for groups • Reduce illicit usage • General increase in security awareness 17
User Password Education • Inadequate knowledge of password procedures, content, and cracking • Concepts of a secure password – Resistant to dictionary attacks – Keep it a secret – don’t tell others – Don’t write it down • Stop misconception: “What are the chances of a complete stranger guessing ****? ” • Perceived low risk to cracking because their role in the organization is not important • Treated user IDs like passwords 18
Sloppiness Spreads • More to passwords than just choosing good ones • Users forced to use too many passwords or hard-to-remember passwords behave insecurely, i. e. , write down passwords • Lowers users’ regard for security arrangements and policies • Leads to increased password disclosure 19
Unworkable User Behavior • • Poor security mechanisms create overhead Makes it hard for users to do their job Many users try to circumvent security Cognitive overheads introduced by security mechanisms reduce users’ motivation • Policies based on FIPS are not influenced by communication with users – bad 20
Policy Improvements Summary • Policymakers must understand users’ knowledge and skill level – User education, publicize policy • • • 21 Consider single-sign on Password ownership User-centric approach to security Need-to-know is not always a good idea Accept that users can be motivated to behave in a secure manner
Password Recommendations • Constructing secure passwords requires: – Training to combine secure with memorable – Interactive password selection process • No more than 4 or 5 passwords • Users must perceive need for security – If organization doesn’t take it seriously, users won’t either • Password mechanisms must not get in the way of worker productivity 22
Conclusion • “System security is one of the last areas in IT in which user-centered design and user training are not regarded as essential – this has to change. ” 23
Questions? • Thanks for your attention 24
Users are not the enemy
Nnnn enemy
Mikael ferm
Define john quincy adams
We're not ignorant of his devices
Not genuine, not true, not valid
The devil only comes to steal kill and destroy
An opponent or enemy
Map overlay usmc
Paul bacon waseda
Soldiers before and after war
Army unit symbols
Card stacking advertisement
Pinpointing the enemy propaganda
Expected armored cavalry troop symbol
Classroom management toolkit
Pablik enemi
6 section battle drills army
Enemy of luke skywalker
Animal farm propaganda poster
Holmes' arch enemy is _____.
My enemy y y y
The greatest happiness is to scatter your enemy
Sex is god's greatest enemy
Enemy of the state strain
