Carnegie Mellon students Richard Shay and Saranga Komanduri present on "Encountering Stronger Password Requirements: User Attitudes and Behaviors" at SOUPS 2010 (Photo credit: Lujo Bauer)
SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium
By Richard Power
SOUPS 2010 is the sixth annual event, and the third one it has been my pleasure to cover. It is also the second year in a row that the event was held at one of the centers of true power in cyberspace; last year it was held at the Google campus in Silicon Valley, this year it was held at Microsoft campus in Redmond, Washington.
Adam Shostack, a program manager for Microsoft's Trustworthy Computing Initiative, gave the Invited Talk. Shostack's presentation was titled, "Engineers Are People, Too."
Cormac Herley and Dinei Florencio of Microsoft Research won the Best Paper Award for their "Where Do Security Policies Come From?
To give you a feeling and a sense for the nature of the research explored at SOUPS 2010, here are some brief excerpts from the papers presented on just one day:
Do Windows Users Follow the Principle of Least Privilege? Investigating User Account Control Practices by Sara Motiee, Kirstie Hawkey and Konstantin Beznosov, University of British Columbia (Vancouver, B.C.):
All our participants used an admin account on their laptop. Although 71% had a partial understanding of the limitations and rights of each user account type, 91% of participants were not aware of the security risks of high-privilege accounts or the security benefi ts of low-privilege ones. Also, while 62% had experienced a low-privilege user account, they were not motivated to use it on their own laptops be- cause of the limitations they had faced using these accounts.
"Encountering Stronger Password Requirements: User Attitudes and Behaviors" by Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin and Lorrie Faith Cranor, Carnegie Mellon University (Pittsburgh, PA.):
Our results reveal flaws in NIST's assumptions. NIST bases its per-password entropy estimates on several assumptions that are inconsistent with our findings . They assume users will create passwords of the minimum required length, but our results show an average length more than two characters above the minimum. NIST also assumes users will have the minimum number of special characters, but our participants frequently indicated using more. Over two-thirds of users who responded said they used more than the one required number. It would be useful to examine larger sets of passwords created under a variety of password policies to provide empirical data to improve the NIST guidelines.
"A Closer Look at Recognition-based Graphical Passwords on Mobile Devices" by
Paul Dunphy of Newcastle University (Newcastle upon Tyne, U.K.), Andreas Heiner and N. Asokan of Nokia Research (Helsinki, Finland):
Despite the increasing presence of biometrics for user authentication on consumer electronics e.g. laptops, knowledge-based authentication systems are likely to remain attractive due to being purely software-based solutions. Graphical password systems based on recognition potentially have a role to play in this area, due to accurate user performance in previous studies, including this one. One key limitation however, is that login durations recorded for our systems – and others – are still too long. User acceptance is often driven by convenience and login durations of approximately 20 seconds are unattractive to many users.
"Usably Secure, Low-Cost Authentication for Mobile Banking" by Saurabh Panjwani and Ed Cutrell of Microsoft India:
While the design of secure and usable authentication for banking applications is a well-studied problem in the developed world, applying the same solutions to developing-world mobile banking is a challenge, primarily due to the limited capacity of the phones available in these regions. Amongst all mobile banking providers in the world, EKO is unique ... In this paper, we have demonstrated a security weakness in EKO’s solution which causes the privacy of user PINs to be easily compromised. On the positive side, we have also shown an alternative solution which not only fixes this problem with EKO’s scheme but also improves its usability and user-friendliness. This is an absolute win-win situation for user-centric security design – better security with better usability. Our research has potential implications for banking in the developed world also. While ATM-based banking is claimed to offer secure 2-factor authentication, such claims have considerably weakened with the increasing incidence of skimming attacks in the recent past ...
"Two Heads are Better Than One: Security and Usability of Device Associations in Group Scenarios" by Ronald Kainda, Ivan Flechais and Andrew William Roscoe of Oxford University (Oxford, U.K.):
We have analysed, evaluated and compared methods for transferring ngerprints among devices for the purpose of bootstrapping security in group scenarios. While it has been believed that group settings may be more subject to failures during the association process compared to single user pair-wise associations, our findings show the converse to be true ...
Based on participants' feedback and video analysis, we concluded that in group settings security of device association is a function of a sum of efforts rather than weakest link. Data further revealed that users rarely read instructions before using a new system but learn as they 'get on with it.' Users also believe that a secure system must be complex and difficult to use. In addition we realised how contextualising laboratory studies can lead to richer data and responses from participants.
"Influence of User Perception, Security Needs, and Social Factors on Device Pairing Method Choices" by Iulia Ion and Srdjan Capkun of ETH Zurich (Zurich, Switzerland), Marc Langheinrich of University of Lugano (Lugano, Switzerland) and Ponnurangam Kumaraguru of IIIT Delhi (New Delhi, India):
Creating a technically secure and highly usable method is not always sufficient to meet users' needs. The method should also comply with users' security perception and be appropriate for the specific social situation.
1. Map perceived security to method guarantees: Designers should create methods whose actual security guarantees are consistent with users' perceived security. To achieve this, it might be necessary to introduce redundant steps, controls, cancel buttons, and double confirmations.
2. Include security by default: We detected several mismatches between users' mental models and system designs, which prove the need to include security by default when dealing with sensitive data, such as a customer entrusting a confidential financial report or a bank issuing a credit card. Also, our results show users' willingness to have security enabled by default.
3. Support several methods: Some users liked Take a picture very much and disliked Listen up, and others felt exactly the opposite. To account for diverse personal preferences, mobile devices should support a set of different pairing methods.
4. Account for social factors: No single method is adequate for all situations. Users are likely to bypass security before breaking social norms. Designers should provide appropriate methods for professional environments, public and private places, and interaction with friends or strangers. The user could, for instance, choose between several variants: meeting mode, quiet room mode, professional mode, play/fun mode, etc.
The full text of these papers, as well as the others presented at SOUPS 2010, are available from the event's official site; along with information on two workshops held: Usable Security Experiment Reports (USER) and Security & Privacy Usability Technology Transfer: Emerging Research (SPUTTER).
NSF Awards Grant for Privacy Study to CyLab Researchers Acquisti, Cranor and Sadeh
CyLab Chronicles: Q and A with Lorrie Cranor (2010)
Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness
Glimpses into the Fourth Annual Symposium on Usable Security and Privacy (SOUPS 2008)