SlideShare une entreprise Scribd logo

„The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups

Télécharger en tant que ODP, PDF
Kaido Kikkas
Kaido Kikkas

A presentation at the HCII 2013 conference in Las Vegas, July 25, 2013 (co-authored with Birgy Lorenz and Aare Klooster).

FormationTechnologie
1  sur  17
„The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups Kaido Kikkas Birgy Lorenz Aare Klooster Estonian IT College Tallinn University Tallinn University & Tallinn University c Kaido Kikkas 2013. This document is distributed under the Creative Commons Attribution-ShareAlike 3.0 Estonia license.
This thing's got a beard ● The first widespread notion about password security (or lack thereof) – The Stockings Were Hung by the Chimney with Care by Bob Metcalfe from 1973 (RFC602) ● An even earlier case described by Richard M. Stallman from the MIT AI Lab in the 60s ● The quote with four common passwords comes from the movie Hackers from 1990 (yes, the one with geeky Angelina Jolie)
The Infamous Dumbuser (a.k.a. Ordinary Joe/Jane) ● A typical scenario: – Jane/Joe has to choose a password, picks something easy and obvious – Bad Guys guess it, resulting in SHTF – Jane/Joe gets a good thrashing from a local BOFH, followed by a long and grumpy lecture about password security – Jane/Joe gets a secure password – alas, it is impossible to remember and needs to be written down (to some obvious place) – Bad Guys intercept it with even more SHTF
The obligatory piece of geekiness http://imgs.xkcd.com/comics/authorization.png
Mitnick says ● Security = – Policies – People – Processes – Technology ● In password security, technology is often the least important
The study ● Stage I: password usage in Estonian schools among different user groups – Students (high school, vocational school, university) – Teachers/trainers – ICT specialists at schools – A large comparison group of 'average users' (convenience sample based on personal contacts)
... ● Stage II – e-safety training with different groups, based on the Stage I results – Password models – Strength testing – Safe storage options – General tips on e-safety ● This stage is still ongoing
Some results ● Stage I revealed the overall lack of security awareness – and especially among 'those who should know better' ● The behavioral patterns in different user groups were more similar than predicted
Examples ● Most respondents only use 4 or less different passwords (incl 54% of the ICT specialists) ● More than a half of the respondents use short passwords with 9 or less characters ● The only remarkable redeeming quality among ICT specialists was including special characters in passwords ● Teachers actually ranked below students
... ● Apparent lack of creativity – both in password and 'secret question' choices ● Password sharing among friends/family is widespread ● Overall awareness of computer security varies with some worrisome findings (e.g. 26% of the ICT specialists did not update their systems)
A parable of two tools... ● Cugnot's fardier à vapeur, 1771 ● Speed 2.25 mph ● Bugatti Veyron, 2010 ● Speed 250 mph Note: the pictures on this and next slide come from Wikimedia Commons
… and SHTFs ● 1771 ● 2010 ● What did break and what did survive?
e-stonia ● Among top countries in Internet freedom ● E-banking (used by ~70% of the population) ● E-declaration of income (~70%) ● E-voting (Riigikogu 2011 – 24.3%) ● National ID-card infrastructure with large and growing online application base ... ● BUGATTI VEYRON....??
Main things to do ● Quote Mitnick: technology is the least one – Promote the least bad choice for passwords – long passphrases that ● are in native language (if other than English; also applies to usernames) ● make sense as words, not as phrase (e.g. “TheViolinDoesNotComputeMacaroni”) ● contain some 1337 and punctuation – Train good password storage practices – Password security is just a part of the whole ● Lack of knowledge is curable, stupidity is not
No fool like an old fool ● Start young! ● Caution – the concept of secrecy can be hard to grasp for young children (and can contradict some other principles) ● Curiosity can be dangerous but is vital – especially when dealing with adolescents ● Overconfidence kills - “experienced users” are notably hard to (re)train – but “putting the nose into it” can help
Instead of conclusion http://imgs.xkcd.com/comics/security.png
Thank you These slides @ Slideshare (CC BY-SA): http://slideshare.net/UncleOwl The (upcoming) Digital Safety Lab @ Tallinn University: http://www.tlu.ee/dsl Contact: {first.last}@tlu.ee The research was supported by the European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa (governed by the Archimedes Foundation) and by the Estonian Information Technology Foundation http://www.spreadshirt.net

Recommandé

"If I Don't Like Your Online Profile, I Will Not Hire You!"
"If I Don't Like Your Online Profile, I Will Not Hire You!""If I Don't Like Your Online Profile, I Will Not Hire You!"
"If I Don't Like Your Online Profile, I Will Not Hire You!"
Kaido Kikkas
 
Student Environment Powerpoint[2]
Student Environment Powerpoint[2]Student Environment Powerpoint[2]
Student Environment Powerpoint[2]
Maryam_A_T
 
Shannon Morris PDLM presentation
Shannon Morris PDLM presentationShannon Morris PDLM presentation
Shannon Morris PDLM presentation
shannoncmorris
 
Power point presentation digital citizenship
Power point presentation digital citizenshipPower point presentation digital citizenship
Power point presentation digital citizenship
Sharda Mohamed
 
Star Kamal 9 B
Star Kamal 9 BStar Kamal 9 B
Star Kamal 9 B
jboulanger
 
Social and legal issues in i
Social and legal issues in iSocial and legal issues in i
Social and legal issues in i
Hassan Nasir
 
Everyone's a Coder Now: Reading and Writing Technical Code
Everyone's a Coder Now: Reading and Writing Technical CodeEveryone's a Coder Now: Reading and Writing Technical Code
Everyone's a Coder Now: Reading and Writing Technical Code
Julie Meloni
 
The Top Five Legal Pitfalls of Social Media for School Districts
The Top Five Legal Pitfalls of Social Media for School DistrictsThe Top Five Legal Pitfalls of Social Media for School Districts
The Top Five Legal Pitfalls of Social Media for School Districts
Diana Benner
 

Recommandé

"If I Don't Like Your Online Profile, I Will Not Hire You!"
"If I Don't Like Your Online Profile, I Will Not Hire You!""If I Don't Like Your Online Profile, I Will Not Hire You!"
"If I Don't Like Your Online Profile, I Will Not Hire You!"
Kaido Kikkas
 
Student Environment Powerpoint[2]
Student Environment Powerpoint[2]Student Environment Powerpoint[2]
Student Environment Powerpoint[2]
Maryam_A_T
 
Shannon Morris PDLM presentation
Shannon Morris PDLM presentationShannon Morris PDLM presentation
Shannon Morris PDLM presentation
shannoncmorris
 
Power point presentation digital citizenship
Power point presentation digital citizenshipPower point presentation digital citizenship
Power point presentation digital citizenship
Sharda Mohamed
 
Star Kamal 9 B
Star Kamal 9 BStar Kamal 9 B
Star Kamal 9 B
jboulanger
 
Social and legal issues in i
Social and legal issues in iSocial and legal issues in i
Social and legal issues in i
Hassan Nasir
 
Everyone's a Coder Now: Reading and Writing Technical Code
Everyone's a Coder Now: Reading and Writing Technical CodeEveryone's a Coder Now: Reading and Writing Technical Code
Everyone's a Coder Now: Reading and Writing Technical Code
Julie Meloni
 
The Top Five Legal Pitfalls of Social Media for School Districts
The Top Five Legal Pitfalls of Social Media for School DistrictsThe Top Five Legal Pitfalls of Social Media for School Districts
The Top Five Legal Pitfalls of Social Media for School Districts
Diana Benner
 
Geo
GeoGeo
Geo
Mariella Azzato
 
EeNET: development and lessons
EeNET: development and lessonsEeNET: development and lessons
EeNET: development and lessons
Kaido Kikkas
 
Opettajat ja oikeudet: vapaan kulttuurin tärkeydestä
Opettajat ja oikeudet: vapaan kulttuurin tärkeydestäOpettajat ja oikeudet: vapaan kulttuurin tärkeydestä
Opettajat ja oikeudet: vapaan kulttuurin tärkeydestä
Kaido Kikkas
 
Kaks teistmoodi e-õpet
Kaks teistmoodi e-õpetKaks teistmoodi e-õpet
Kaks teistmoodi e-õpet
Kaido Kikkas
 
T2
T2T2
T2
Mariella Azzato
 
Innovation Parkour TEDIndia
Innovation Parkour TEDIndiaInnovation Parkour TEDIndia
Innovation Parkour TEDIndia
Michael Dila
 
PR43 Advertisement
PR43 AdvertisementPR43 Advertisement
PR43 Advertisement
publicrelations43
 
T1 Expresion
T1 ExpresionT1 Expresion
T1 Expresion
Mariella Azzato
 
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...
Kaido Kikkas
 
Rss Creative
Rss CreativeRss Creative
Rss Creative
Mariella Azzato
 
Sotsiaalne tarkvara ja võrgukogukonnad: kursuse tutvustus
Sotsiaalne tarkvara ja võrgukogukonnad: kursuse tutvustusSotsiaalne tarkvara ja võrgukogukonnad: kursuse tutvustus
Sotsiaalne tarkvara ja võrgukogukonnad: kursuse tutvustus
Kaido Kikkas
 
J.R.R. Tolkien ja tema maailm
J.R.R. Tolkien ja tema maailmJ.R.R. Tolkien ja tema maailm
J.R.R. Tolkien ja tema maailm
Kaido Kikkas
 
Vecchietti a spasso
Vecchietti a spassoVecchietti a spasso
Vecchietti a spasso
franceo
 
Necessary freedoms for information society
Necessary freedoms for information societyNecessary freedoms for information society
Necessary freedoms for information society
Kaido Kikkas
 
Persuasion, Presentation & Practice: Rotman Storytelling for Business worksho...
Persuasion, Presentation & Practice: Rotman Storytelling for Business worksho...Persuasion, Presentation & Practice: Rotman Storytelling for Business worksho...
Persuasion, Presentation & Practice: Rotman Storytelling for Business worksho...
Michael Dila
 
Eesti Vabaks? Vaba tarkvara perspektiividest Eestis
Eesti Vabaks? Vaba tarkvara perspektiividest EestisEesti Vabaks? Vaba tarkvara perspektiividest Eestis
Eesti Vabaks? Vaba tarkvara perspektiividest Eestis
Kaido Kikkas
 
Code of Ethics in E-learning
Code of Ethics in E-learningCode of Ethics in E-learning
Code of Ethics in E-learning
Kaido Kikkas
 
Vabad litsentsid: motivatsioon ja ärimudelid
Vabad litsentsid: motivatsioon ja ärimudelidVabad litsentsid: motivatsioon ja ärimudelid
Vabad litsentsid: motivatsioon ja ärimudelid
Kaido Kikkas
 
Religious Symbols
Religious SymbolsReligious Symbols
Religious Symbols
ashie22
 
Etl523 pres jj jarick
Etl523 pres jj jarickEtl523 pres jj jarick
Etl523 pres jj jarick
jamesjarick
 
The birth of an online module about privacy - Schoutsen & van Putten
The birth of an online module about privacy - Schoutsen & van PuttenThe birth of an online module about privacy - Schoutsen & van Putten
The birth of an online module about privacy - Schoutsen & van Putten
IL Group (CILIP Information Literacy Group)
 
Cybersafety
Cybersafety Cybersafety
Cybersafety
Sue Noor
 

Contenu connexe

En vedette

Vecchietti a spasso
Vecchietti a spassoVecchietti a spasso
Vecchietti a spasso
franceo
 
Religious Symbols
Religious SymbolsReligious Symbols
Religious Symbols
ashie22
 

En vedette (19)

Geo
GeoGeo
Geo
 
EeNET: development and lessons
EeNET: development and lessonsEeNET: development and lessons
EeNET: development and lessons
 
Opettajat ja oikeudet: vapaan kulttuurin tärkeydestä
Opettajat ja oikeudet: vapaan kulttuurin tärkeydestäOpettajat ja oikeudet: vapaan kulttuurin tärkeydestä
Opettajat ja oikeudet: vapaan kulttuurin tärkeydestä
 
Kaks teistmoodi e-õpet
Kaks teistmoodi e-õpetKaks teistmoodi e-õpet
Kaks teistmoodi e-õpet
 
T2
T2T2
T2
 
Innovation Parkour TEDIndia
Innovation Parkour TEDIndiaInnovation Parkour TEDIndia
Innovation Parkour TEDIndia
 
PR43 Advertisement
PR43 AdvertisementPR43 Advertisement
PR43 Advertisement
 
T1 Expresion
T1 ExpresionT1 Expresion
T1 Expresion
 
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...
 
Rss Creative
Rss CreativeRss Creative
Rss Creative
 
Sotsiaalne tarkvara ja võrgukogukonnad: kursuse tutvustus
Sotsiaalne tarkvara ja võrgukogukonnad: kursuse tutvustusSotsiaalne tarkvara ja võrgukogukonnad: kursuse tutvustus
Sotsiaalne tarkvara ja võrgukogukonnad: kursuse tutvustus
 
J.R.R. Tolkien ja tema maailm
J.R.R. Tolkien ja tema maailmJ.R.R. Tolkien ja tema maailm
J.R.R. Tolkien ja tema maailm
 
Vecchietti a spasso
Vecchietti a spassoVecchietti a spasso
Vecchietti a spasso
 
Necessary freedoms for information society
Necessary freedoms for information societyNecessary freedoms for information society
Necessary freedoms for information society
 
Persuasion, Presentation & Practice: Rotman Storytelling for Business worksho...
Persuasion, Presentation & Practice: Rotman Storytelling for Business worksho...Persuasion, Presentation & Practice: Rotman Storytelling for Business worksho...
Persuasion, Presentation & Practice: Rotman Storytelling for Business worksho...
 
Eesti Vabaks? Vaba tarkvara perspektiividest Eestis
Eesti Vabaks? Vaba tarkvara perspektiividest EestisEesti Vabaks? Vaba tarkvara perspektiividest Eestis
Eesti Vabaks? Vaba tarkvara perspektiividest Eestis
 
Code of Ethics in E-learning
Code of Ethics in E-learningCode of Ethics in E-learning
Code of Ethics in E-learning
 
Vabad litsentsid: motivatsioon ja ärimudelid
Vabad litsentsid: motivatsioon ja ärimudelidVabad litsentsid: motivatsioon ja ärimudelid
Vabad litsentsid: motivatsioon ja ärimudelid
 
Religious Symbols
Religious SymbolsReligious Symbols
Religious Symbols
 

Similaire à „The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups

Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
Chris Roberts
 

Similaire à „The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups (20)

Etl523 pres jj jarick
Etl523 pres jj jarickEtl523 pres jj jarick
Etl523 pres jj jarick
 
The birth of an online module about privacy - Schoutsen & van Putten
The birth of an online module about privacy - Schoutsen & van PuttenThe birth of an online module about privacy - Schoutsen & van Putten
The birth of an online module about privacy - Schoutsen & van Putten
 
Cybersafety
Cybersafety Cybersafety
Cybersafety
 
Tech integration
Tech integrationTech integration
Tech integration
 
Prof Ed 10- Lesson 5.pptx
Prof Ed 10- Lesson 5.pptxProf Ed 10- Lesson 5.pptx
Prof Ed 10- Lesson 5.pptx
 
Ethics andtel
Ethics andtelEthics andtel
Ethics andtel
 
Learning to use and sustaining use of ICTs by older people' Prof Leela Damod...
Learning to use and sustaining use of ICTs by older people' Prof Leela Damod...Learning to use and sustaining use of ICTs by older people' Prof Leela Damod...
Learning to use and sustaining use of ICTs by older people' Prof Leela Damod...
 
ICT and Citizenship
ICT and CitizenshipICT and Citizenship
ICT and Citizenship
 
Presentation
PresentationPresentation
Presentation
 
Internet Awareness October 2013
Internet Awareness October 2013Internet Awareness October 2013
Internet Awareness October 2013
 
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
 
Digital security -mariamustelier
Digital security -mariamustelierDigital security -mariamustelier
Digital security -mariamustelier
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)
 
Use of PLEs by security and investigation professionals
Use of PLEs by security and investigation professionalsUse of PLEs by security and investigation professionals
Use of PLEs by security and investigation professionals
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
 
Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
 
DistanceEducation
DistanceEducationDistanceEducation
DistanceEducation
 
Lessons Learned from the Safer Internet Program in Estonia
Lessons Learned from the Safer Internet Program in EstoniaLessons Learned from the Safer Internet Program in Estonia
Lessons Learned from the Safer Internet Program in Estonia
 
Five Reasons Not to Use EdTech
Five Reasons Not to Use EdTechFive Reasons Not to Use EdTech
Five Reasons Not to Use EdTech
 
SAFETY ISSUES NOTES.docx
SAFETY ISSUES NOTES.docxSAFETY ISSUES NOTES.docx
SAFETY ISSUES NOTES.docx
 

Plus de Kaido Kikkas

Plus de Kaido Kikkas (20)

Alustav ettevõtja ja tarkvaralitsentsid 190522.pdf
Alustav ettevõtja ja tarkvaralitsentsid 190522.pdfAlustav ettevõtja ja tarkvaralitsentsid 190522.pdf
Alustav ettevõtja ja tarkvaralitsentsid 190522.pdf
 
Avatud e-kursuse kogemusi COVID-19 ajastul
Avatud e-kursuse kogemusi COVID-19 ajastulAvatud e-kursuse kogemusi COVID-19 ajastul
Avatud e-kursuse kogemusi COVID-19 ajastul
 
"Loll saab Internetis kah peksa"
"Loll saab Internetis kah peksa""Loll saab Internetis kah peksa"
"Loll saab Internetis kah peksa"
 
Tants intellektuaalomandi ümber
Tants intellektuaalomandi ümberTants intellektuaalomandi ümber
Tants intellektuaalomandi ümber
 
Digital Survival Skills: A Course for TalTech Employees
Digital Survival Skills: A Course for TalTech EmployeesDigital Survival Skills: A Course for TalTech Employees
Digital Survival Skills: A Course for TalTech Employees
 
A Different Kind of E-Learning
A Different Kind of E-LearningA Different Kind of E-Learning
A Different Kind of E-Learning
 
Itti püsti & pikali
Itti püsti & pikaliItti püsti & pikali
Itti püsti & pikali
 
One Flew Over the Hackers' Nest...
One Flew Over the Hackers' Nest...One Flew Over the Hackers' Nest...
One Flew Over the Hackers' Nest...
 
Garage48 accessibility talk 261114
Garage48 accessibility talk 261114Garage48 accessibility talk 261114
Garage48 accessibility talk 261114
 
Vaba ja tasuta...?
Vaba ja tasuta...?Vaba ja tasuta...?
Vaba ja tasuta...?
 
Turvalise Interneti päev 11. veebruaril 2014
Turvalise Interneti päev 11. veebruaril 2014Turvalise Interneti päev 11. veebruaril 2014
Turvalise Interneti päev 11. veebruaril 2014
 
Of Hobbits, Amish, Hackers and Technology 2014
Of Hobbits, Amish, Hackers and Technology 2014Of Hobbits, Amish, Hackers and Technology 2014
Of Hobbits, Amish, Hackers and Technology 2014
 
Hüüru Teabetoa arvutikoolitus 16.02.13
Hüüru Teabetoa arvutikoolitus 16.02.13Hüüru Teabetoa arvutikoolitus 16.02.13
Hüüru Teabetoa arvutikoolitus 16.02.13
 
Võrgustikuseminar 260412 wikiversity
Võrgustikuseminar 260412 wikiversityVõrgustikuseminar 260412 wikiversity
Võrgustikuseminar 260412 wikiversity
 
Teeme ise muinasjuttu - Wesnothi õpituba
Teeme ise muinasjuttu - Wesnothi õpitubaTeeme ise muinasjuttu - Wesnothi õpituba
Teeme ise muinasjuttu - Wesnothi õpituba
 
Open Courses: The Next Big Thing in E-Learning?
Open Courses: The Next Big Thing in E-Learning?Open Courses: The Next Big Thing in E-Learning?
Open Courses: The Next Big Thing in E-Learning?
 
IT Kolledži uudishimupäev 2011
IT Kolledži uudishimupäev 2011IT Kolledži uudishimupäev 2011
IT Kolledži uudishimupäev 2011
 
Võrgumaailm kui kõverpeegel
Võrgumaailm kui kõverpeegelVõrgumaailm kui kõverpeegel
Võrgumaailm kui kõverpeegel
 
Mis ma andsin, see mul on
Mis ma andsin, see mul onMis ma andsin, see mul on
Mis ma andsin, see mul on
 
Creative Commons: väiteid ja näiteid
Creative Commons: väiteid ja näiteidCreative Commons: väiteid ja näiteid
Creative Commons: väiteid ja näiteid
 

Dernier

Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 

Dernier (20)

Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

„The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups

  • 1. „The four most-used passwords are love, sex, secret, and God“: password security and training in different user groups Kaido Kikkas Birgy Lorenz Aare Klooster Estonian IT College Tallinn University Tallinn University & Tallinn University c Kaido Kikkas 2013. This document is distributed under the Creative Commons Attribution-ShareAlike 3.0 Estonia license.
  • 2. This thing's got a beard ● The first widespread notion about password security (or lack thereof) – The Stockings Were Hung by the Chimney with Care by Bob Metcalfe from 1973 (RFC602) ● An even earlier case described by Richard M. Stallman from the MIT AI Lab in the 60s ● The quote with four common passwords comes from the movie Hackers from 1990 (yes, the one with geeky Angelina Jolie)
  • 3. The Infamous Dumbuser (a.k.a. Ordinary Joe/Jane) ● A typical scenario: – Jane/Joe has to choose a password, picks something easy and obvious – Bad Guys guess it, resulting in SHTF – Jane/Joe gets a good thrashing from a local BOFH, followed by a long and grumpy lecture about password security – Jane/Joe gets a secure password – alas, it is impossible to remember and needs to be written down (to some obvious place) – Bad Guys intercept it with even more SHTF
  • 4. The obligatory piece of geekiness http://imgs.xkcd.com/comics/authorization.png
  • 5. Mitnick says ● Security = – Policies – People – Processes – Technology ● In password security, technology is often the least important
  • 6. The study ● Stage I: password usage in Estonian schools among different user groups – Students (high school, vocational school, university) – Teachers/trainers – ICT specialists at schools – A large comparison group of 'average users' (convenience sample based on personal contacts)
  • 7. ... ● Stage II – e-safety training with different groups, based on the Stage I results – Password models – Strength testing – Safe storage options – General tips on e-safety ● This stage is still ongoing
  • 8. Some results ● Stage I revealed the overall lack of security awareness – and especially among 'those who should know better' ● The behavioral patterns in different user groups were more similar than predicted
  • 9. Examples ● Most respondents only use 4 or less different passwords (incl 54% of the ICT specialists) ● More than a half of the respondents use short passwords with 9 or less characters ● The only remarkable redeeming quality among ICT specialists was including special characters in passwords ● Teachers actually ranked below students
  • 10. ... ● Apparent lack of creativity – both in password and 'secret question' choices ● Password sharing among friends/family is widespread ● Overall awareness of computer security varies with some worrisome findings (e.g. 26% of the ICT specialists did not update their systems)
  • 11. A parable of two tools... ● Cugnot's fardier à vapeur, 1771 ● Speed 2.25 mph ● Bugatti Veyron, 2010 ● Speed 250 mph Note: the pictures on this and next slide come from Wikimedia Commons
  • 12. … and SHTFs ● 1771 ● 2010 ● What did break and what did survive?
  • 13. e-stonia ● Among top countries in Internet freedom ● E-banking (used by ~70% of the population) ● E-declaration of income (~70%) ● E-voting (Riigikogu 2011 – 24.3%) ● National ID-card infrastructure with large and growing online application base ... ● BUGATTI VEYRON....??
  • 14. Main things to do ● Quote Mitnick: technology is the least one – Promote the least bad choice for passwords – long passphrases that ● are in native language (if other than English; also applies to usernames) ● make sense as words, not as phrase (e.g. “TheViolinDoesNotComputeMacaroni”) ● contain some 1337 and punctuation – Train good password storage practices – Password security is just a part of the whole ● Lack of knowledge is curable, stupidity is not
  • 15. No fool like an old fool ● Start young! ● Caution – the concept of secrecy can be hard to grasp for young children (and can contradict some other principles) ● Curiosity can be dangerous but is vital – especially when dealing with adolescents ● Overconfidence kills - “experienced users” are notably hard to (re)train – but “putting the nose into it” can help
  • 17. Thank you These slides @ Slideshare (CC BY-SA): http://slideshare.net/UncleOwl The (upcoming) Digital Safety Lab @ Tallinn University: http://www.tlu.ee/dsl Contact: {first.last}@tlu.ee The research was supported by the European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa (governed by the Archimedes Foundation) and by the Estonian Information Technology Foundation http://www.spreadshirt.net