Google and UMD Cybersecurity Seminar

Thursday, February 27, 2014
4:00 p.m.-5:00 p.m.

Carolyn Flowers
301 405 0794
cflowers@umd.edu

The Continuing Quest for Secure and Usable Passwords
 
Abstract

To combat both the inherent and user-induced weaknesses of text-based passwords, administrators and organizations typically institute a series of rules – a password policy – to which users must adhere when choosing a password. While a properly-written password policy might provide an organization with increased security, it is unclear just what such a well-written policy would be, or even how to determine whether a given policy is effective. Although it is easy to calculate the theoretical password space that corresponds to a particular password policy, it is difficult to determine the practical password space. Users may, for example, react to a policy rule requiring them to include numbers in passwords by overwhelmingly picking the same number, or by always using the number in the same location in their passwords. In addition, some password policies, while resulting in stronger passwords, may make those passwords difficult to remember or type. This may cause users to forget their passwords or to engage in a variety of behaviors that might compromise the security of passwords. We seek to advance understanding of the factors that make following password policies difficult, collect empirical data on password strength and memorability under various password policies, and propose password policy guidelines to simultaneously maximize security and usability of passwords. To that end, our research group has conducted a series of online studies in which we asked tens of thousands of people to create passwords that comply with specific password policies. We developed an efficient method for calculating how effectively several password-guessing algorithms guess passwords and used it to analyze leaked password sets, passwords created for our studies, and the single-sign-on passwords used by over 25,000 faculty, staff, and students at our university.  We investigated a variety of password policies, including those with requirements on length and character classes, as well as exclusion of blacklisted words. We also investigated system-assigned passphrases and the impact of various password meter designs on password security and usability. In this talk I will describe our password research study methodology and highlight some of our most interesting findings. This is joint work with Lujo Bauer, Nicolas Christin, Patrick Kelley, Saranga Komanduri, Sean Segreti, Rich Shay, Blase Ur, Tim Vidas, and others. Our password research papers are available at http://cups.cs.cmu.edu/passwords.html

 

Bio

Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, phishing, spam, electronic voting, anonymous publishing, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University.

Audience: Public 

remind we with google calendar

 

March 2024

SU MO TU WE TH FR SA
25 26 27 28 29 1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31 1 2 3 4 5 6
Submit an Event