Tuesday, December 1, 2015

TED Tuesday: Lorrie Faith Cranor- What’s wrong with your pa$$w0rd?

"So passwords are something that I hear a lot about. A lot of people are frustrated with passwords, and it's bad enough when you have to have one really good password that you can remember but nobody else is going to be able to guess. But what do you do when you have accounts on a hundred different systems and you're supposed to have a unique password for each of these systems? It's tough."

Good Morning Folks,

Abner Goodwin's job title is Systems Specialist so like most IT people he should know best about security right? We'll even some folks in IT can procrastinate changing their passwords longer than filing their income tax. So don't feel bad, but use today's talk to set your browsing on a more secure path.

Abner blogs, "I’ve been an Internet user for about half my life now. That’s been enough time to collect many, many accounts. I have at least 3 email accounts, accounts on the usual social networking sites, and a slew of random accounts for online stores and services. I figure that I have somewhere around 30 personal accounts that I’ve set up over the years. There are many others that I’ve lost track of, consigned to the briny depths of the web to be forever forgotten."

"It’s time for a confession dear readers: I have committed a grievous evil. I have re-used passwords for multiple personal accounts with wild abandon. On top of that, before this article, I had not changed passwords on some accounts for years. What’s worse is I know better than this; I follow best practices for passwords in my professional life obsessively. Seriously, there was an intervention and everything. I guess it would be at this point where I’d say something about the cobbler’s son having no shoes."

"This was pretty much the extent of my super sophisticated personal password scheme. Luckily, I kept the post-it note under my keyboard where no one would ever find it."

"Continuing down this cliche’d path, I’ve heard that people don’t change until the pain of staying the same is greater than the pain of changing. For me, the pain came just a few days ago when I received an email from a forum that I belong to. The email stated that they’d been compromised and that the attacker had gained access to their database of usernames and encrypted passwords."

Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, and other topics

Lorrie Faith Cranor studied thousands of real passwords to figure out the surprising, very common mistakes that users — and secured sites — make to compromise security. And how, you may ask, did she study thousands of real passwords without compromising the security of any users? That's a story in itself. It's secret data worth knowing, especially if your password is 123456 ...

I found this video on some research Lorrie is doing on the subject very interesting and insightful

Says Lorrie:

 "I always cringe whenever people talk about choosing passwords, but this has some interesting insights into the strengths and weaknesses of various techniques, and it even mentions some I've not heard of before." 
e’ve all heard the common password advice: Choose a random password with a lot of characters, include digits and symbols, don’t use a dictionary word, don’t write it down and change it often. While some of this advice is useful, some of it is counterproductive and probably even harmful. 
Next Friday I will be giving a Game Changer talk at the IAPP Global Privacy Summit in which I will discuss research results—from my own research group at Carnegie Mellon University as well as from others—that demonstrates that what most people thought they knew about passwords is wrong. 
Most humans are not very good at memorizing random things, and they don’t enjoy doing it. While we are impressed by the talent of spelling bee champions, most of us would rather not spend our time on rote memorization. 
It turns out we’re also not very good at coming up with random things, let alone memorizing them. We like to think of ourselves as unique, but we actually think alike more than we want to admit, and we tend to be rather predictable. 
So, when we’re asked to come up with a random password, we do something that seems random to us but is actually what a lot of other people do. We think of some song lyrics, the name of our pet, a cartoon character, a TV show, a sports team or even the name of a friend or family member. Or maybe we trace our fingers on a keyboard and type in a sequence of keys that appear next to each other—maybe diagonally down one column and then up the next, because that seems more random than just going left to right across. If we have to add a symbol, we type an exclamation point at the end. If we have to add a number, it is most likely a 1. And if a capital letter is needed, it goes at the beginning. 
And because this was so much work to not only choose, but to remember, and because we know we’re not supposed to write our passwords down, the next time we have to create a password, we just use the same one we already created.
But what happens when you log in and are told that your password has expired and you have to choose a new one? Chances are you increment the 1 to a 2 or add another exclamation point to the end."
Research shows that forcing users to change their password on a regular basis does not actually increase security. In fact, it encourages users to create weaker passwords and increment them according to a predictable scheme. So, not only does password expiration annoy users, it likely makes their passwords more vulnerable to attack. Have a look:

Here are a few highlights of Lorrie's talk:

  • Long passwords with simple requirements can be easier to use and just as strong as shorter passwords with complex requirements.
  • Password meters can encourage users to create stronger passwords, but most password meters used on websites today provide positive feedback prematurely.
  • Passphrases seem like a good idea, but users don’t find random passphrases more usable than passwords.
  • Monkey is the most popular animal to include in a password and among the most popular words to include in a password.
So it seems that at the end of the day, when we make passwords, we either make something that's really easy to type, a common pattern, or things that remind us of the word password or the account that we've created the password for, or whatever. Or we think about things that make us happy, and we create our password based on things that make us happy. And while this makes typing and remembering your password more fun, it also makes it a lot easier to guess your password. So I know a lot of these TED Talks are inspirational and they make you think about nice, happy things, but when you're creating your password, try to think about something else.

Have a GREAT Day,

Mitchell D. Weiner
Chief Happiness Officer

"The privilege of a lifetime is to become who you truly are."
 ~ Carl Jung

Ideas are not set in stone. When exposed to thoughtful people, they morph and adapt into their most potent form. TED Tuesdays on MitchWeiner.com highlights some of today's most intriguing ideas. Look for more talks on Technology, Entertainment and Design -- plus science, business, global issues, the arts and much more— HERE.  

About FSO Onsite Outsourcing
Recognized on the Inc. 5000 list of the nation's fastest growing companies for the third consecutive year, and lead by industry pioneer, Mitch Weiner, FSO's growth and success can be attributed to making a positive and powerful impact on their clients' bottom lines, as well as their employees' careers and lives.

About Lorrie Faith Cranor

Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University. In 2012-13 she spent her sabbatical year as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.

No comments:

Post a Comment

About the Author:
Welcome to the fastest growing onsite outsourcing company in the nation! Led by Mitch Weiner, co-founder and industry pioneer, FSO is "the" award winning enterprise-wide outsourcing and people solutions firm servicing a multitude of clients across North America.

Contact Mitch: Twitter | Facebook | LinkedIn | Email