34
Password Usability Yee-Yin Choong Cognitive Scientist Visualization and Usability Group Information Access Division Information Technology Laboratory National Institute of Standards and Technology October 23, 2015

Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Password Usability

Yee-Yin Choong

Cognitive Scientist Visualization and Usability Group Information Access Division Information Technology Laboratory National Institute of Standards and Technology

October 23, 2015

Page 2: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Extent to which a product or system

can be used by specified users

to achieve specified goals

with effectiveness, efficiency and satisfaction

in a specified context of use

specified users

1

Usability: ISO 9241-11

specified goals

specified context of use

Page 3: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

2

Page 4: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Generation

Problem solving

Creative thinking

Decision making

Limited processing capacities

– attention

– interferences

Attitudes &

Use Experience

Generation

Maintenance

Authentication

Cognitive-Behavioral Framework

Page 5: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

4

Investigate user password generation space

Effects of rule presentation formatting

Participants 81 participants

Average age: 35.1 (years)

53% female, 47% male

Study 1 – Password Generation Study

Page 6: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

5

Experimental Design

Two sets of password rules (within-Subject)

Complex

Simple

Two presentation styles (between-Subject)

Formatted

Unformatted

Data Number of passwords generated

Password generation time

Time to 1st Keypress and Password

Character Type Distribution

Character Type Positioning

Page 7: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

6

Presentation

Style

Password Rules

Complex Simple

Formatted n=40

Unformatted n=41

Your password must have: • at least 12 characters • at least 1 uppercase letter (A to Z) • at least 1 lowercase letter (a to z) • at least 1 number (0 to 9) • at least 1 symbol. Your password must not: • have 5 occurrences of the same characters • Contain any dictionary words.

Your password must have: • at least 6 characters. You can use any characters that can be typed on a standard keyboard. Password tip: It is recommended that you use a combination of upper and lower case letters, numbers and symbols.

Your password must be a minimum of twelve characters in length. Each password must contain at least one of each of the following types of characters: uppercase alphabetic (A to Z), lowercase alphabetic (a to z), numeric (0 to 9), and symbols. Your passwords cannot contain any dictionary words. Your passwords cannot have five occurrences of the same character.

You need to create a password of minimum 6 characters long. You can use any characters that can be typed on a standard keyboard. Password tip: It is recommended that you use a combination of upper and lower case letters, numbers and symbols.

Page 8: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

7

8,165 passwords generated (81 participants)

Complex rules: 3,138 passwords

Simple rules: 5,027 passwords

Average: 100.8 passwords per participant

Avg. Time to 1st Keypress Simple = 14.35 s, Complex = 23.98 s

Avg. Time to 1st Compliant Password Simple = 22.28 s, Complex = 82.65 s

Results

Page 9: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

8

Formatted Presentation = Better Performance

Complex Rules – faster start time

Simple Rules – more passwords, shorter time

Effects of Presentation Formatting

Formatted Unformatted

Time to 1st key press 21.2 s 26.7 s

Time to 1st compliant password 79.8 s 85.5 s

Formatted Unformatted

Number of passwords 69.4 54.9

Password generation time 9.7 s 13.4 s

Page 10: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

9

Complex Passwords Heat map

e 5.4%

r 4.0%

t 3.5%

i 3.2%

o 4.1%

a 4.4%

s 4.0%

n 3.6%

l 2.5%

h 2.4%

W 0.7% T 0.7% P 0.6%

M 0.7%

L 0.8% A 0.6% S 0.8% D 0.7% F 0.7%

C 0.7%

1 2.9%

2 2.6%

3 2.5%

0 2.4%

4 2.0%

! 2.0%

@ 1.1% # 1.2% * 1.1% $ 0.9%

Page 11: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

10

Positioning Patterns

19.1%

71.6% 73.2% 74.2% 72.2% 68.8%

65.7% 63.8% 58.2%

53.7% 48.4%

40.7% 33.8%

29.0% 23.7%

20.7% 15.6%

8.6%

66.6%

11.4% 12.9% 9.9% 11.2%

10.4%

9.2% 8.2%

8.9%

9.2%

7.7%

6.1%

5.8%

3.9%

5.5% 4.8%

5.7%

9.7%

7.3% 11.2% 8.3%

9.1% 10.1% 12.9%

17.0% 19.3%

22.4% 26.6%

31.2%

34.8%

40.3%

39.5% 41.0%

43.8%

40.8%

31.2%

6.9% 5.7% 5.5% 6.7% 6.5% 7.9% 8.0% 8.7% 10.4% 10.5% 12.7% 18.4% 20.1%

27.7% 29.9% 30.8% 38.0%

50.5%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]

% o

f C

har

acte

r Ty

pe

s

Positions in Passwords of 12 to 18 Characters Long

Lowercase Uppercase Number Special

Page 12: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

11

Positioning Patterns – Uppercase

19.1%

71.6% 73.2% 74.2% 72.2% 68.8%

65.7% 63.8% 58.2%

53.7% 48.4%

40.7% 33.8%

29.0% 23.7%

20.7% 15.6%

8.6%

66.6%

11.4% 12.9% 9.9% 11.2%

10.4% 9.2%

8.2%

8.9%

9.2%

7.7%

6.1%

5.8%

3.9%

5.5% 4.8%

5.7%

9.7%

7.3% 11.2% 8.3%

9.1% 10.1% 12.9%

17.0% 19.3%

22.4% 26.6%

31.2%

34.8%

40.3%

39.5% 41.0%

43.8%

40.8%

31.2%

6.9% 5.7% 5.5% 6.7% 6.5% 7.9% 8.0% 8.7% 10.4% 10.5% 12.7% 18.4% 20.1%

27.7% 29.9% 30.8% 38.0%

50.5%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]

Perc

enta

ge o

f C

har

acte

r Ty

pe

s

Positions in Passwords of 12 to 18 Characters Long

Page 13: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

12

Positioning Patterns – Lowercase

19.1%

71.6% 73.2% 74.2% 72.2% 68.8%

65.7% 63.8% 58.2%

53.7% 48.4%

40.7% 33.8%

29.0% 23.7%

20.7% 15.6%

8.6%

66.6%

11.4% 12.9% 9.9% 11.2%

10.4%

9.2% 8.2%

8.9%

9.2%

7.7%

6.1%

5.8%

3.9%

5.5% 4.8%

5.7%

9.7%

7.3% 11.2% 8.3%

9.1% 10.1% 12.9%

17.0% 19.3%

22.4% 26.6%

31.2%

34.8%

40.3%

39.5% 41.0%

43.8%

40.8%

31.2%

6.9% 5.7% 5.5% 6.7% 6.5% 7.9% 8.0% 8.7% 10.4% 10.5% 12.7% 18.4% 20.1%

27.7% 29.9% 30.8% 38.0%

50.5%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]

Perc

enta

ge o

f C

har

acte

r Ty

pe

s

Positions in Passwords of 12 to 18 Characters Long

Page 14: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

13

Positioning Patterns – numbers & special characters

19.1%

71.6% 73.2% 74.2% 72.2% 68.8%

65.7% 63.8% 58.2%

53.7% 48.4%

40.7% 33.8%

29.0% 23.7%

20.7% 15.6%

8.6%

66.6%

11.4% 12.9% 9.9% 11.2%

10.4%

9.2% 8.2%

8.9%

9.2%

7.7%

6.1%

5.8%

3.9%

5.5% 4.8%

5.7%

9.7%

7.3% 11.2% 8.3%

9.1% 10.1% 12.9%

17.0% 19.3%

22.4% 26.6%

31.2%

34.8%

40.3%

39.5% 41.0%

43.8%

40.8%

31.2%

6.9% 5.7% 5.5% 6.7% 6.5% 7.9% 8.0% 8.7% 10.4% 10.5% 12.7% 18.4% 20.1%

27.7% 29.9% 30.8% 38.0%

50.5%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]

Perc

enta

ge o

f C

har

acte

r Ty

pe

s

Positions in Passwords of 12 to 18 Characters Long

Page 15: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Online Survey (2010-2011)

Anonymous

Questions on password management and computer security

Demographics

US Government Workers 4,573 Department of Commerce (DOC) employees

Study 2 – Employee Password Usability Survey

14

Page 16: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

15

Average 9 work-related passwords

5 frequently used

4 occasionally used

Time spent on creating passwords

Password Usage

Password Types Estimated Longest

Time Total1 (Mean)

Worst Scenario - time spent annually2 (with longest time)

Hours/employee/year If on a 90-day cycle

Hours/employee/year If on a 60-day cycle

Frequent passwords 98.5 min 6.6 h 9.9 h

Occasional passwords 86.6 min 5.8 h 8.7 h

Total 12.4 h 18.6 h 1 Estimated Longest Time Total = (number of password counts) x (estimated longest time for a password) 2 The calculation is based on the password changing cycle of 90 days (i.e. 4 times a year), and 60 days (i.e. 6 times a year).

Page 17: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

16

Password creation takes long, why?

The program kept rejecting my password because it was not within the guildlines

[sic] even though I thought I was following them.

That 25 minutes was actual time trying to get a system to accept a password. I

was so desparate [sic] I actually started asking colleagues for suggestions! .

Longer if I manage to lock myself out in doing so, or can't remember what I just

changed it to and have to get it reset all over.

sometimes it's taken me 20min to change a password to one that meets the

requirements and isn't too far off from my other ones (so I can remember it!)

Longest time is 2 days. The password expired and a default password was set. I

could not change away from the default due to a lock out feature requiring that

the password not be changed more than once in two days.

There have been several times where it took so long to create a complex enough

password that I forgot the password when logging in the next time and had to

have it reset.

Page 18: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

17

Attitudes toward Password Policy

Too long

Too complex

Changed too often

not at the same time!

Too short 0.9%

Too long 57.2%

About right 36.2%

Neutral 5.7%

Attitudes – Password Length

Too simple 0.6%

Too complex

51.0%

About right 44.4%

Neutral 4.0%

Attitudes – Password Complexity

> 180 days 35.2%

121 - 180 days 17.4%

91 - 120 days 18.3%

61 - 90 days 18.8%

31 - 60 days 5.8%

<= 30 days 1.3%

Neutral 3.2%

Attitudes – Password Expiration

Page 19: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

18

What did they say? The combination of length/complexity, number of different passwords, plus

frequent changes makes passwords insecure, because they must be written down. How do you think people remember extremely complex passwords which also

require to be changed every 3 months ? #Wr1T31Td0wN .. yes that's 12 chars :) I understand that for ““security” ” reasons it is good to change a password - but

seriously are we all expected to magically remember 12 different passwords, most of which are 10 charecters [sic] long, and can't look like a word (I agree with the reason for the complexity - it just hard on the user).

I make a list of the password requirements for all accounts and make one that fits all of them.

Security has become so complex, it's interfering with being able to do a job efficiently.

It is hard enough to come up with a 12 or so string of unique characters every three months, let alone remember 10 individual ones.

Security has become so complex, it's interfering with being able to do a job efficiently.

Page 20: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

19

Organizational Password Policy

Protect data integrity and system security

Control employees’ access

Dictate employees’ password management

Password composition requirements

Password expiration

Reuse and history

Storage requirements

Page 21: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

20

Attitudes (Fishbein & Ajzen, 1975)

“Learned, relatively enduring dispositions to respond in consistently favorable or unfavorable ways to certain people, groups, ideas, or situations.”

Positive employee attitudes

combat negative reactions to organization-wide changes or policy viewed as unfavorable

Employee Attitudes

Page 22: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Employee Password Management Lifecycle 21

Burdensome

Too short 0.9%

Too long 57.2%

About right

36.2%

Neutral 5.7%

Attitudes – Password Length

Too simple 0.6%

Too complex

51.0%

About right

44.4%

Neutral 4.0%

Attitudes – Password Complexity

About Right

Divergent Views

Page 23: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Password Generation Strategies

61.1%

36.2%

29.7%

68.3%

45.8% 41.7%

58.8%

35.2%

30.1%

71.5%

48.2%

42.9%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Minor change Existing pwd Recyle old pwd

% o

f u

sin

g th

e st

rate

gy

Top 3 Strategies

Length – About right Length – Burdensome

Complexity – About right Complexity – Burdensome

22 * All comparisons are statistically significant (p < 0.05).

Page 24: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Password Generation Considerations

75.4%

67.3%

44.0%

86.0%

51.8%

22.5%

75.9%

68.5%

43.5%

87.0%

48.5%

19.8%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Easy to remember Compliant Strong

% “

Ver

y Im

po

rtan

t”

Length – About right Length – Burdensome

Complexity – About right Complexity – Burdensome

23 * All comparisons are statistically significant (p < 0.05).

Page 25: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Password Maintenance

24 * All comparisons are statistically significant (p < 0.05).

69.7%

56.0%

26.8%

64.0% 65.6%

30.9%

70.4%

56.8%

25.5%

62.7% 66.2%

32.5%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Memorize Paper File

% o

f u

sin

g th

e tr

acki

ng

met

ho

d

Primary password tracking methods

Length – About right Length – Burdensome

Complexity – About right Complexity – Burdensome

Page 26: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Password Tracking – paper in plain view

25

15.9% 16.3%

29.1% 31.1%

0%

10%

20%

30%

40%

50%

Length Requirement Complexity Requirement

% p

aper

in p

lain

vie

w

Attitudes toward Password Policy

About right Burdensome

Page 27: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Authentication Experience

26 * All comparisons are statistically significant (p < 0.05).

18.4% 15.9% 16.1%

33.0% 29.5% 29.6%

18.8%

13.7% 13.2%

34.4% 33.6% 34.4%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Mistyping password Forgetting password Error message - changingpassword

% “

A L

ot"

Fru

stra

tio

n

Top 3 Login Problems

Length – About right Length – Burdensome

Complexity – About right Complexity – Burdensome

Page 28: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

What Did 4,500+ People Tell Us?

Staff overwhelmed – pushing human cognition limits different password requirements (length, complexity, expiration) multiple passwords – frustration level significantly related to

number of passwords

Statistically significant relationships Attitudes toward organizational security policies

Security behaviors and experiences

Positive attitudes Compliant and strong passwords more important

Write-down passwords less often

Less frustration with login problems

Better understanding of password security 27

Page 29: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

28

Smart Cards for identification and authentication

Security, multi-factors

Something you have – a Smart card

Something you know – a PIN

Usability

Single sign-on

PINs easier to remember and to enter

Promising Solution?

Page 30: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

29

CAC Standard identification for Department of Defense

(DoD) personnel

Physical access

Logical access

Online Survey Anonymous

Questions on CAC usage and password management

The case of CAC (Common Access Card)

Page 31: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

30

Authentication Problems – Forgetting

0.6%

11.3%

89.5%

3.3%

51.1%

39.5%

Very Large + Large amount Moderate + Small amount None

Frustration with Forgetting

CAC – Forget PIN PWD – Forget Password

Statistical significance (p < 0.05)

More frustration with Forgetting Password

Page 32: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

31

User Satisfaction with CAC

Satisfied 90.2%

Dissatisfied 1.9%

Neutral 7.9%

Page 33: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

Moving Forward Better security metrics for user generated passwords

Usable password requirements Formatting, phrasing, language, feedback

Potential usability issues with smartcard authentication

Better organizational security policies

Direction of causality: Attitudes & Behaviors

Promote positive attitudes

Work and personal password management

32

Page 34: Password Usability - NIST · 2018-09-27 · Extent to which a product or system can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction

References

Yee-Yin Choong

National Institute of Standards and Technology Gaithersburg, MD, USA

[email protected]

Choong, Y. Y., Theofanos, M., & Liu, H.-K. (2014). United States Federal Employees' Password Management Behaviors – A Department of Commerce Case Study, NISTIR 7991.

Choong, Y. Y. (2014). A cognitive-behavioral framework of user password management lifecycle. In Human Aspects of Information Security, Privacy, and Trust (pp. 127-137). Springer International Publishing.

Choong, Y. Y., & Theofanos, M. (2015). What 4,500+ people can tell you–employees’ attitudes toward organizational password policy do matter. In Human Aspects of Information Security, Privacy, and Trust (pp. 299-310). Springer International Publishing.

Lee, Paul Y., & Choong, Y. Y. (2015). "Human generated passwords–the impacts of password requirements and presentation styles." In Human Aspects of Information Security, Privacy, and Trust (pp. 83-94). Springer International Publishing.