„The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups
1. „The four most-used passwords
are love, sex, secret, and God“:
password security and training
in different user groups
Kaido Kikkas Birgy Lorenz Aare Klooster
Estonian IT College Tallinn University Tallinn University
& Tallinn University
c
Kaido Kikkas 2013. This document is distributed under the Creative Commons
Attribution-ShareAlike 3.0 Estonia license.
2. This thing's got a beard
● The first widespread notion about password
security (or lack thereof) – The Stockings
Were Hung by the Chimney with Care by
Bob Metcalfe from 1973 (RFC602)
● An even earlier case described by Richard
M. Stallman from the MIT AI Lab in the 60s
● The quote with four common passwords
comes from the movie Hackers from 1990
(yes, the one with geeky Angelina Jolie)
3. The Infamous Dumbuser
(a.k.a. Ordinary Joe/Jane)
● A typical scenario:
– Jane/Joe has to choose a password, picks
something easy and obvious
– Bad Guys guess it, resulting in SHTF
– Jane/Joe gets a good thrashing from a
local BOFH, followed by a long and grumpy
lecture about password security
– Jane/Joe gets a secure password – alas, it
is impossible to remember and needs to be
written down (to some obvious place)
– Bad Guys intercept it with even more SHTF
5. Mitnick says
● Security =
– Policies
– People
– Processes
– Technology
● In password security, technology is often
the least important
6. The study
● Stage I: password usage in Estonian
schools among different user groups
– Students (high school, vocational school,
university)
– Teachers/trainers
– ICT specialists at schools
– A large comparison group of 'average
users' (convenience sample based on
personal contacts)
7. ...
● Stage II – e-safety training with different
groups, based on the Stage I results
– Password models
– Strength testing
– Safe storage options
– General tips on e-safety
● This stage is still ongoing
8. Some results
● Stage I revealed the overall lack of
security awareness – and especially
among 'those who should know better'
● The behavioral patterns in different user
groups were more similar than predicted
9. Examples
● Most respondents only use 4 or less
different passwords (incl 54% of the ICT
specialists)
● More than a half of the respondents use
short passwords with 9 or less characters
● The only remarkable redeeming quality
among ICT specialists was including
special characters in passwords
● Teachers actually ranked below students
10. ...
● Apparent lack of creativity – both in
password and 'secret question' choices
● Password sharing among friends/family is
widespread
● Overall awareness of computer security
varies with some worrisome findings (e.g.
26% of the ICT specialists did not update
their systems)
11. A parable of two tools...
● Cugnot's fardier à
vapeur, 1771
● Speed 2.25 mph
● Bugatti Veyron,
2010
● Speed 250 mph
Note: the pictures on this and next slide come from Wikimedia Commons
12. … and SHTFs
● 1771 ● 2010
● What did break and what did survive?
13. e-stonia
● Among top countries in Internet freedom
● E-banking (used by ~70% of the population)
● E-declaration of income (~70%)
● E-voting (Riigikogu 2011 – 24.3%)
● National ID-card infrastructure with large
and growing online application base
...
● BUGATTI VEYRON....??
14. Main things to do
● Quote Mitnick: technology is the least one
– Promote the least bad choice for passwords
– long passphrases that
● are in native language (if other than English;
also applies to usernames)
● make sense as words, not as phrase (e.g.
“TheViolinDoesNotComputeMacaroni”)
● contain some 1337 and punctuation
– Train good password storage practices
– Password security is just a part of the whole
● Lack of knowledge is curable, stupidity is not
15. No fool like an old fool
● Start young!
● Caution – the concept of secrecy can be
hard to grasp for young children (and can
contradict some other principles)
● Curiosity can be dangerous but is vital –
especially when dealing with adolescents
● Overconfidence kills - “experienced users”
are notably hard to (re)train – but “putting
the nose into it” can help
17. Thank you
These slides @ Slideshare
(CC BY-SA):
http://slideshare.net/UncleOwl
The (upcoming) Digital Safety
Lab @ Tallinn University:
http://www.tlu.ee/dsl
Contact: {first.last}@tlu.ee
The research was supported by the European Social Fund’s Doctoral Studies and
Internationalisation Programme DoRa (governed by the Archimedes Foundation) and
by the Estonian Information Technology Foundation
http://www.spreadshirt.net