Embed Size (px)
Citation preview
Password Usability
Yee-Yin Choong
Cognitive Scientist Visualization and Usability Group Information Access Division Information Technology Laboratory National Institute of Standards and Technology
October 23, 2015
Extent to which a product or system
can be used by specified users
to achieve specified goals
with effectiveness, efficiency and satisfaction
in a specified context of use
specified users
1
Usability: ISO 9241-11
specified goals
specified context of use
2
Generation
Problem solving
Creative thinking
Decision making
Limited processing capacities
– attention
– interferences
Attitudes &
Use Experience
Generation
Maintenance
Authentication
Cognitive-Behavioral Framework
4
Investigate user password generation space
Effects of rule presentation formatting
Participants 81 participants
Average age: 35.1 (years)
53% female, 47% male
Study 1 – Password Generation Study
5
Experimental Design
Two sets of password rules (within-Subject)
Complex
Simple
Two presentation styles (between-Subject)
Formatted
Unformatted
Data Number of passwords generated
Password generation time
Time to 1st Keypress and Password
Character Type Distribution
Character Type Positioning
6
Presentation
Style
Password Rules
Complex Simple
Formatted n=40
Unformatted n=41
Your password must have: • at least 12 characters • at least 1 uppercase letter (A to Z) • at least 1 lowercase letter (a to z) • at least 1 number (0 to 9) • at least 1 symbol. Your password must not: • have 5 occurrences of the same characters • Contain any dictionary words.
Your password must have: • at least 6 characters. You can use any characters that can be typed on a standard keyboard. Password tip: It is recommended that you use a combination of upper and lower case letters, numbers and symbols.
Your password must be a minimum of twelve characters in length. Each password must contain at least one of each of the following types of characters: uppercase alphabetic (A to Z), lowercase alphabetic (a to z), numeric (0 to 9), and symbols. Your passwords cannot contain any dictionary words. Your passwords cannot have five occurrences of the same character.
You need to create a password of minimum 6 characters long. You can use any characters that can be typed on a standard keyboard. Password tip: It is recommended that you use a combination of upper and lower case letters, numbers and symbols.
7
8,165 passwords generated (81 participants)
Complex rules: 3,138 passwords
Simple rules: 5,027 passwords
Average: 100.8 passwords per participant
Avg. Time to 1st Keypress Simple = 14.35 s, Complex = 23.98 s
Avg. Time to 1st Compliant Password Simple = 22.28 s, Complex = 82.65 s
Results
8
Formatted Presentation = Better Performance
Complex Rules – faster start time
Simple Rules – more passwords, shorter time
Effects of Presentation Formatting
Formatted Unformatted
Time to 1st key press 21.2 s 26.7 s
Time to 1st compliant password 79.8 s 85.5 s
Formatted Unformatted
Number of passwords 69.4 54.9
Password generation time 9.7 s 13.4 s
9
Complex Passwords Heat map
e 5.4%
r 4.0%
t 3.5%
i 3.2%
o 4.1%
a 4.4%
s 4.0%
n 3.6%
l 2.5%
h 2.4%
W 0.7% T 0.7% P 0.6%
M 0.7%
L 0.8% A 0.6% S 0.8% D 0.7% F 0.7%
C 0.7%
1 2.9%
2 2.6%
3 2.5%
0 2.4%
4 2.0%
! 2.0%
@ 1.1% # 1.2% * 1.1% $ 0.9%
10
Positioning Patterns
19.1%
71.6% 73.2% 74.2% 72.2% 68.8%
65.7% 63.8% 58.2%
53.7% 48.4%
40.7% 33.8%
29.0% 23.7%
20.7% 15.6%
8.6%
66.6%
11.4% 12.9% 9.9% 11.2%
10.4%
9.2% 8.2%
8.9%
9.2%
7.7%
6.1%
5.8%
3.9%
5.5% 4.8%
5.7%
9.7%
7.3% 11.2% 8.3%
9.1% 10.1% 12.9%
17.0% 19.3%
22.4% 26.6%
31.2%
34.8%
40.3%
39.5% 41.0%
43.8%
40.8%
31.2%
6.9% 5.7% 5.5% 6.7% 6.5% 7.9% 8.0% 8.7% 10.4% 10.5% 12.7% 18.4% 20.1%
27.7% 29.9% 30.8% 38.0%
50.5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]
% o
f C
har
acte
r Ty
pe
s
Positions in Passwords of 12 to 18 Characters Long
Lowercase Uppercase Number Special
11
Positioning Patterns – Uppercase
19.1%
71.6% 73.2% 74.2% 72.2% 68.8%
65.7% 63.8% 58.2%
53.7% 48.4%
40.7% 33.8%
29.0% 23.7%
20.7% 15.6%
8.6%
66.6%
11.4% 12.9% 9.9% 11.2%
10.4% 9.2%
8.2%
8.9%
9.2%
7.7%
6.1%
5.8%
3.9%
5.5% 4.8%
5.7%
9.7%
7.3% 11.2% 8.3%
9.1% 10.1% 12.9%
17.0% 19.3%
22.4% 26.6%
31.2%
34.8%
40.3%
39.5% 41.0%
43.8%
40.8%
31.2%
6.9% 5.7% 5.5% 6.7% 6.5% 7.9% 8.0% 8.7% 10.4% 10.5% 12.7% 18.4% 20.1%
27.7% 29.9% 30.8% 38.0%
50.5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]
Perc
enta
ge o
f C
har
acte
r Ty
pe
s
Positions in Passwords of 12 to 18 Characters Long
12
Positioning Patterns – Lowercase
19.1%
71.6% 73.2% 74.2% 72.2% 68.8%
65.7% 63.8% 58.2%
53.7% 48.4%
40.7% 33.8%
29.0% 23.7%
20.7% 15.6%
8.6%
66.6%
11.4% 12.9% 9.9% 11.2%
10.4%
9.2% 8.2%
8.9%
9.2%
7.7%
6.1%
5.8%
3.9%
5.5% 4.8%
5.7%
9.7%
7.3% 11.2% 8.3%
9.1% 10.1% 12.9%
17.0% 19.3%
22.4% 26.6%
31.2%
34.8%
40.3%
39.5% 41.0%
43.8%
40.8%
31.2%
6.9% 5.7% 5.5% 6.7% 6.5% 7.9% 8.0% 8.7% 10.4% 10.5% 12.7% 18.4% 20.1%
27.7% 29.9% 30.8% 38.0%
50.5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]
Perc
enta
ge o
f C
har
acte
r Ty
pe
s
Positions in Passwords of 12 to 18 Characters Long
13
Positioning Patterns – numbers & special characters
19.1%
71.6% 73.2% 74.2% 72.2% 68.8%
65.7% 63.8% 58.2%
53.7% 48.4%
40.7% 33.8%
29.0% 23.7%
20.7% 15.6%
8.6%
66.6%
11.4% 12.9% 9.9% 11.2%
10.4%
9.2% 8.2%
8.9%
9.2%
7.7%
6.1%
5.8%
3.9%
5.5% 4.8%
5.7%
9.7%
7.3% 11.2% 8.3%
9.1% 10.1% 12.9%
17.0% 19.3%
22.4% 26.6%
31.2%
34.8%
40.3%
39.5% 41.0%
43.8%
40.8%
31.2%
6.9% 5.7% 5.5% 6.7% 6.5% 7.9% 8.0% 8.7% 10.4% 10.5% 12.7% 18.4% 20.1%
27.7% 29.9% 30.8% 38.0%
50.5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]
Perc
enta
ge o
f C
har
acte
r Ty
pe
s
Positions in Passwords of 12 to 18 Characters Long
Online Survey (2010-2011)
Anonymous
Questions on password management and computer security
Demographics
US Government Workers 4,573 Department of Commerce (DOC) employees
Study 2 – Employee Password Usability Survey
14
15
Average 9 work-related passwords
5 frequently used
4 occasionally used
Time spent on creating passwords
Password Usage
Password Types Estimated Longest
Time Total1 (Mean)
Worst Scenario - time spent annually2 (with longest time)
Hours/employee/year If on a 90-day cycle
Hours/employee/year If on a 60-day cycle
Frequent passwords 98.5 min 6.6 h 9.9 h
Occasional passwords 86.6 min 5.8 h 8.7 h
Total 12.4 h 18.6 h 1 Estimated Longest Time Total = (number of password counts) x (estimated longest time for a password) 2 The calculation is based on the password changing cycle of 90 days (i.e. 4 times a year), and 60 days (i.e. 6 times a year).
16
Password creation takes long, why?
The program kept rejecting my password because it was not within the guildlines
[sic] even though I thought I was following them.
That 25 minutes was actual time trying to get a system to accept a password. I
was so desparate [sic] I actually started asking colleagues for suggestions! .
Longer if I manage to lock myself out in doing so, or can't remember what I just
changed it to and have to get it reset all over.
sometimes it's taken me 20min to change a password to one that meets the
requirements and isn't too far off from my other ones (so I can remember it!)
Longest time is 2 days. The password expired and a default password was set. I
could not change away from the default due to a lock out feature requiring that
the password not be changed more than once in two days.
There have been several times where it took so long to create a complex enough
password that I forgot the password when logging in the next time and had to
have it reset.
17
Attitudes toward Password Policy
Too long
Too complex
Changed too often
not at the same time!
Too short 0.9%
Too long 57.2%
About right 36.2%
Neutral 5.7%
Attitudes – Password Length
Too simple 0.6%
Too complex
51.0%
About right 44.4%
Neutral 4.0%
Attitudes – Password Complexity
> 180 days 35.2%
121 - 180 days 17.4%
91 - 120 days 18.3%
61 - 90 days 18.8%
31 - 60 days 5.8%
<= 30 days 1.3%
Neutral 3.2%
Attitudes – Password Expiration
18
What did they say? The combination of length/complexity, number of different passwords, plus
frequent changes makes passwords insecure, because they must be written down. How do you think people remember extremely complex passwords which also
require to be changed every 3 months ? #Wr1T31Td0wN .. yes that's 12 chars :) I understand that for ““security” ” reasons it is good to change a password - but
seriously are we all expected to magically remember 12 different passwords, most of which are 10 charecters [sic] long, and can't look like a word (I agree with the reason for the complexity - it just hard on the user).
I make a list of the password requirements for all accounts and make one that fits all of them.
Security has become so complex, it's interfering with being able to do a job efficiently.
It is hard enough to come up with a 12 or so string of unique characters every three months, let alone remember 10 individual ones.
Security has become so complex, it's interfering with being able to do a job efficiently.
19
Organizational Password Policy
Protect data integrity and system security
Control employees’ access
Dictate employees’ password management
Password composition requirements
Password expiration
Reuse and history
Storage requirements
20
Attitudes (Fishbein & Ajzen, 1975)
“Learned, relatively enduring dispositions to respond in consistently favorable or unfavorable ways to certain people, groups, ideas, or situations.”
Positive employee attitudes
combat negative reactions to organization-wide changes or policy viewed as unfavorable
Employee Attitudes
Employee Password Management Lifecycle 21
Burdensome
Too short 0.9%
Too long 57.2%
About right
36.2%
Neutral 5.7%
Attitudes – Password Length
Too simple 0.6%
Too complex
51.0%
About right
44.4%
Neutral 4.0%
Attitudes – Password Complexity
About Right
Divergent Views
Password Generation Strategies
61.1%
36.2%
29.7%
68.3%
45.8% 41.7%
58.8%
35.2%
30.1%
71.5%
48.2%
42.9%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Minor change Existing pwd Recyle old pwd
% o
f u
sin
g th
e st
rate
gy
Top 3 Strategies
Length – About right Length – Burdensome
Complexity – About right Complexity – Burdensome
22 * All comparisons are statistically significant (p < 0.05).
Password Generation Considerations
75.4%
67.3%
44.0%
86.0%
51.8%
22.5%
75.9%
68.5%
43.5%
87.0%
48.5%
19.8%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Easy to remember Compliant Strong
% “
Ver
y Im
po
rtan
t”
Length – About right Length – Burdensome
Complexity – About right Complexity – Burdensome
23 * All comparisons are statistically significant (p < 0.05).
Password Maintenance
24 * All comparisons are statistically significant (p < 0.05).
69.7%
56.0%
26.8%
64.0% 65.6%
30.9%
70.4%
56.8%
25.5%
62.7% 66.2%
32.5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Memorize Paper File
% o
f u
sin
g th
e tr
acki
ng
met
ho
d
Primary password tracking methods
Length – About right Length – Burdensome
Complexity – About right Complexity – Burdensome
Password Tracking – paper in plain view
25
15.9% 16.3%
29.1% 31.1%
0%
10%
20%
30%
40%
50%
Length Requirement Complexity Requirement
% p
aper
in p
lain
vie
w
Attitudes toward Password Policy
About right Burdensome
Authentication Experience
26 * All comparisons are statistically significant (p < 0.05).
18.4% 15.9% 16.1%
33.0% 29.5% 29.6%
18.8%
13.7% 13.2%
34.4% 33.6% 34.4%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Mistyping password Forgetting password Error message - changingpassword
% “
A L
ot"
Fru
stra
tio
n
Top 3 Login Problems
Length – About right Length – Burdensome
Complexity – About right Complexity – Burdensome
What Did 4,500+ People Tell Us?
Staff overwhelmed – pushing human cognition limits different password requirements (length, complexity, expiration) multiple passwords – frustration level significantly related to
number of passwords
Statistically significant relationships Attitudes toward organizational security policies
Security behaviors and experiences
Positive attitudes Compliant and strong passwords more important
Write-down passwords less often
Less frustration with login problems
Better understanding of password security 27
28
Smart Cards for identification and authentication
Security, multi-factors
Something you have – a Smart card
Something you know – a PIN
Usability
Single sign-on
PINs easier to remember and to enter
Promising Solution?
29
CAC Standard identification for Department of Defense
(DoD) personnel
Physical access
Logical access
Online Survey Anonymous
Questions on CAC usage and password management
The case of CAC (Common Access Card)
30
Authentication Problems – Forgetting
0.6%
11.3%
89.5%
3.3%
51.1%
39.5%
Very Large + Large amount Moderate + Small amount None
Frustration with Forgetting
CAC – Forget PIN PWD – Forget Password
Statistical significance (p < 0.05)
More frustration with Forgetting Password
31
User Satisfaction with CAC
Satisfied 90.2%
Dissatisfied 1.9%
Neutral 7.9%
Moving Forward Better security metrics for user generated passwords
Usable password requirements Formatting, phrasing, language, feedback
Potential usability issues with smartcard authentication
Better organizational security policies
Direction of causality: Attitudes & Behaviors
Promote positive attitudes
Work and personal password management
32
References
Yee-Yin Choong
National Institute of Standards and Technology Gaithersburg, MD, USA
Choong, Y. Y., Theofanos, M., & Liu, H.-K. (2014). United States Federal Employees' Password Management Behaviors – A Department of Commerce Case Study, NISTIR 7991.
Choong, Y. Y. (2014). A cognitive-behavioral framework of user password management lifecycle. In Human Aspects of Information Security, Privacy, and Trust (pp. 127-137). Springer International Publishing.
Choong, Y. Y., & Theofanos, M. (2015). What 4,500+ people can tell you–employees’ attitudes toward organizational password policy do matter. In Human Aspects of Information Security, Privacy, and Trust (pp. 299-310). Springer International Publishing.
Lee, Paul Y., & Choong, Y. Y. (2015). "Human generated passwords–the impacts of password requirements and presentation styles." In Human Aspects of Information Security, Privacy, and Trust (pp. 83-94). Springer International Publishing.
