Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kevin Killourhy Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security:

Published byRafe Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "Kevin Killourhy Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security:"— Presentation transcript:

1 Kevin Killourhy Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security: A Password Policy Taxonomy

2 Comprehensive National Cyber-Security Initiative: Research and Development

3 Usability Research Goal: To enable policy makers to make better decisions

4 View of solution space of the security and usability equation Each point (solution) has a security level and a usability level Policy constrains solution space X Trivial usability solution x Trivial security solution x x x Ideally policy will permit the best solution X Optimum acceptable usability/security solution

5 Password Policy Quiz What are the minimum length and maximum lifetime? Are special characters required? Which special characters are allowed? Is white-space allowed? Are you allowed to write it down? Workplace password policies involve much more than length and lifetime.

6 Password policies cause confusion Users rarely understand them Users are governed by multiple policies at work, through financial institutions, and for other online activities. The number of policies, ambiguities in them, and discrepancies among them are a cognitive burden. So… Users are forced to choose weak passwords or write them down. Policy violations become routine Password policy security goals are not met 6

7 What constitutes a special character anyway? Is the following a legal password: password2%(letters, number, and specials) ? password%(letters and specials) ? Password%(upper-case and lower-case letters and specials) ? |*@$$^^()%&(all specials) ? Policy from a Federal Agency: Passwords contain a combination of letters, numbers, and at least one special character Can you follow this policy?

8 Password specifications as Policies Policies regulate behavior (or they try to). For instance: Users must not store passwords in writing anywhere. Users must create passwords with a character in the set of numbers. Users must not create passwords in the set of dictionary words. But they are not written in clear and unambiguous language. 8

9 Policies vary dramatically both in length and language

10 Develop a effective approach for studying password policies. Specifically, develop a password policy language that enables us to (1) evaluate and compare policies, and (2) assess how policy rules affect user behavior and security. Approach: – Develop a taxonomy of policy rules – Collect a corpus of representative policies – Analyze the corpus using its taxonomic structure 10 Goal

11 Develop a Taxonomy Reduce policies to an unambiguous language: Users must change passwords before 90 days. Users must change passwords immediately if compromised. Users must change passwords immediately if directed by management. Users must change passwords immediately if found non- compliant. Users must change passwords immediately if shared. Users must create passwords with a character in the set of numbers, special characters (unspecified). Users must create passwords with length greater than or equal to 8 characters. Users must not create passwords in the set of passwords to an outside system. Users must not create passwords in the set of strings with a character repeated 5 or more times. Users must not create passwords in the set of their last 2 years of passwords. Users must not create passwords in the set of their last 8 passwords. … Benefits of a formal (EBNF) grammar: Specific statements can be pinpointed for discussion. What is allowed, forbidden, and ambiguous is explicit. Language differences no longer prevent comparisons. (Clarity first)

12 Benefits of a formal (EBNF) grammar: What is allowed, forbidden, and ambiguous is explicit. Specific statements can be pinpointed for discussion. Language differences no longer prevent comparisons. (Clarity first) 12

13 Corporate and government policies of primary interest (22) Password-protected general websites policies included (19) 13 Apply Taxonomy to a Corpus

14 How many different rules? 41 policies 155 unique rules 449 total rules

15 A visual representation of the corpus

16

17 Policy exploration and visualization

18 Depiction of a password policy NIST

19 Comparing two policies NISTCensus Users must create passwords with length greater than or equal to 8 characters.

20 NISTCensus Users should not communicate passwords by local-area network without encryption. Comparing two policies

21 General statistics: Are any two policies the same? What rules appear frequently? How often are policies ambiguous or contradictory? Broader questions: Which rules constitute best practices? Which rules require user cooperation? What rules affect usability? What rules affect security? How? 21 A tool for password policy analysis

22 Some preliminary results Are any two policies the same? No (they are like snowflakes). NIST (28) and the Census Bureau (22) share 14. DoC (28) shares 12 with NIST and 8 with Census.

23 What rules appear frequently? Users must create passwords with length greater than or equal to 8 characters. (23) Users must not communicate passwords to anyone. (15) Users must change passwords immediately if compromised. (10) Users must not create passwords with a substring in the set of dictionary words. (10) 73 rules appear only once. Some preliminary results

24 How often are policies ambiguous or contradictory? Rules were flagged as ambiguous if they… Concerned special characters without defining them, Concerned “letters” without specifying case, Concerned vague prohibitions on “patterns” 34/41 policies (83%) contain an ambiguous rule. Some preliminary results

25 A typical policy imposes 8—10 rules on a user. Each policy introduces an average of 1—2 unique rules. Nearly every policy had ill-formed requirements. Users with multiple passwords will not be able to keep all the requirements straight. 25 Basic findings

26 Next Steps 26 Attach security rationales to rules and regions. Attach usability concerns and experimental results. Translate policies to find disagreement or misinterpretation. Explore current practices and establish best practices. Put policies into plain language. Thank you!

Download ppt "Kevin Killourhy Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security:"

Similar presentations

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.
Overview of Nursing Informatics

Overview of Nursing Informatics
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
The Nature of Managerial Decision Making

The Nature of Managerial Decision Making
Legal Duties to LEP Health and Social Services Clients Jill Moore Institute of Government December 2004.

Legal Duties to LEP Health and Social Services Clients Jill Moore Institute of Government December 2004.
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
Principles of High Quality Assessment

Principles of High Quality Assessment
Programming Logic and Design, Introductory, Fourth Edition1 Understanding Computer Components and Operations (continued) A program must be free of syntax.

Programming Logic and Design, Introductory, Fourth Edition1 Understanding Computer Components and Operations (continued) A program must be free of syntax.
Copyright © Cengage Learning. All rights reserved. CHAPTER 11 ANALYSIS OF ALGORITHM EFFICIENCY ANALYSIS OF ALGORITHM EFFICIENCY.

Copyright © Cengage Learning. All rights reserved. CHAPTER 11 ANALYSIS OF ALGORITHM EFFICIENCY ANALYSIS OF ALGORITHM EFFICIENCY.
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
Harnessing the Power of Microdata Standards, tools and best practices for microdata dissemination and management International Household Survey Network.

Harnessing the Power of Microdata Standards, tools and best practices for microdata dissemination and management International Household Survey Network.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
SPECA Regional Workshop on Disability Statistics: Dec 13-15, 2006 Purposes of Disability Statistics Jennifer Madans and Barbara Altman National Center.

SPECA Regional Workshop on Disability Statistics: Dec 13-15, 2006 Purposes of Disability Statistics Jennifer Madans and Barbara Altman National Center.
Microsoft Visual Basic 2012 CHAPTER ONE Introduction to Visual Basic 2012 Programming.

Microsoft Visual Basic 2012 CHAPTER ONE Introduction to Visual Basic 2012 Programming.
SESSION ONE PERFORMANCE MANAGEMENT & APPRAISALS.

SESSION ONE PERFORMANCE MANAGEMENT & APPRAISALS.
(Terminology Summer School) TSS. Term Net Inforterm TSS Terminology Management Terminology.

(Terminology Summer School) TSS. Term Net Inforterm TSS Terminology Management Terminology.
Mary Theofanos Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security.

Mary Theofanos Visualization & Usability Group Information Access Division Information Technology Laboratory Usability Research in Support Of Cyber-Security.
Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 13 Database Management Systems: Getting Data Together.

Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 13 Database Management Systems: Getting Data Together.

Similar presentations

Ads by Google