`
`Engineering
`
`ROSS Anderson
`
`SECOND EDITION
`
`03265
`
`Twilio v. Telesign - IPR2016-01688 | Telesign Ex. 2006
`Page 23
`
`

`

`V
`I
`‘
`Sccunh li'Iiumwnny \~ u
`Second l \l I l inn
`
`‘
`
`l
`
`l
`
`‘
`k
`
`.Hl
`
`‘l‘m'dvnr
`.
`
`,'
`
`l‘ul‘llshmi M
`
`‘\‘ll(‘\ Publishing lnl.
`l0~173 \ ‘nmspnini llunlm .: z ii
`Indianapolis IN lofhh
`
`kyfipywighlin~30031xt1(orcl
`
`;\n(hqu»n \Hliughlulew
`
`‘24‘il
`
`Published by \Viloy Publishing, lllk ., Indianapolis, Indiana
`
`Published simultaneously in Canada
`
`ISBN: Q7'80-470-06852-6
`
`Manufactured in the United States of America
`
`109876543
`
`m or transmitted in any form or by any
`_
`No part of this publication may be reproduced, stored in a retrieval syste
`.
`means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as Permuted under semms
`107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
`authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
`Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permissron should be
`addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd, Indianapolis, IN 46256, (317)
`572-3447, fax (317) 572-4355, or online at http: / /www.wiley.com / go/permissions.
`
`Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with
`respect to the accuracy or completeness of the contents of this work and specifically disclaim all;_ ‘
`without limitation warranties of fitness for a particular purpose. No warranty may be created or
`or
`" ’
`promotional mat-
`i'.
`'ezad ice and strategies contained herein may not be suitable for every 5
`
`
`.11
`l
`"‘7
`'
`’ V 'i
`‘
`V
`at the publisher is not engaged in rendering legal, accountant
`" I
`:
`'
`required,
`"
`'
`
`
`
`Page 24
`
`

`

`2.3 Insights from Psychology Research
`
`25
`
`won the Nobel Prize in economics in 2002 for launching this field (along with
`the late Amos Tversky). One of his insights was that the heuristics we use
`in everyday judgement and decision making lie somewhere between rational
`thought and the unmediated input from the senses [679].
`Kahneman and Tversky did extensive experimental work on how people
`made decisions faced with uncertainty. They developed prospect theory which
`models risk aversion, among other things: in many circumstances, people
`dislike losing $100 they already have more than they value winning $100.
`That’s why marketers talk in terms of ‘discount’ and ‘saving’ — by framing an
`action as a gain rather than as a loss makes people more likely to take it. We’re
`also bad at calculating probabilities, and use all sorts of heuristics to help us
`make decisions: we base inferences on familiar or easily-imagined analogies
`(the availability heuristic whereby easily-remembered data have more weight in
`mental processing), and by comparison with recent experiences (the anchoring
`effect whereby we base a judgement on an initial guess or comparison and then
`adjust it if need be). We also worry too much about unlikely events.
`The channels through which we experience things also matter (we’re more
`likely to be sceptical about things we’ve heard than about things we’ve seen).
`Another factor is that we evolved in small social groups, and the behaviour
`appropriate here isn’t the same as in markets; indeed, many frauds work by
`appealing to our atavistic instincts to trust people more in certain situations
`or over certain types of decision. Other traditional vices now studied by
`behavioural economists range from our tendency to procrastinate to our
`imperfect self-control.
`This tradition is not just relevant to working out how likely people are to
`click on links in phishing emails, but to the much deeper problem of the public
`perception of risk. Many people perceive terrorism to be a much worse threat
`than food poisoning or road traffic accidents: this is irrational, but hardly
`surprising to a behavioural economist, as we overestimate the small risk of
`dying in a terrorist attack not just because it’s small but because of the visual
`effect of the 9/11 TV coverage and the ease of remembering the event. (There
`are further factors, which I’ll discuss in Chapter 24 when we discuss terrorism.)
`The misperception of risk underlies many other public-policy problems.
`The psychologist Daniel Gilbert, in an article provocatively entitled ‘If only
`gay sex caused global warming’, discusses why we are much more afraid of
`terrorism than of climate change. First, we evolved to be much more wary of
`hostile intent than of nature; 100,000 years ago, a man with a club (or a hungry
`lion) was a much worse threat than a thunderstorm. Second, global warming
`doesn’t violate anyone’s moral sensibilities; third, it’s a long-term threat rather
`than a clear and present danger; and fourth, we’re sensitive to rapid changes
`in the environment rather than slow ones [526].
`Bruce Schneier lists more biases: we are less afraid when we’re in control,
`such as when driving a car, as opposed to being a passenger in a car or
`
`Page 25
`
`

`

`26
`
`Chapter 2 ■ Usability and Psychology
`
`airplane; we are more afraid of risks to which we’ve been sensitised, for
`example by gruesome news coverage; and we are more afraid of uncertainty,
`that is, when the magnitude of the risk is unknown (even when it’s small). And
`a lot is known on the specific mistakes we’re likely to make when working out
`probabilities and doing mental accounting [1129, 1133].
`Most of us are not just more afraid of losing something we have, than of
`not making a gain of equivalent value, as prospect theory models. We’re also
`risk-averse in that most people opt for a bird in the hand rather than two in
`the bush. This is thought to be an aspect of satisficing — as situations are often
`too hard to assess accurately, we have a tendency to plump for the alternative
`that’s ‘good enough’ rather than face the cognitive strain of trying to work out
`the odds perfectly, especially when faced with a small transaction. Another
`aspect of this is that many people just plump for the standard configuration
`of a system, as they assume it will be good enough. This is one reason why
`secure defaults matter1.
`There is a vast amount of material here that can be exploited by the
`fraudster and the terrorist, as well as by politicians and other marketers. And
`as behavioural psychology gets better understood, the practice of marketing
`gets sharper too, and the fraudsters are never far behind. And the costs to
`business come not just from crime directly, but even more from the fear of
`crime. For example, many people don’t use electronic banking because of a
`fear of fraud that is exaggerated (at least in the USA with its tough consumer-
`protection laws): so banks pay a fortune for the time of branch and call-center
`staff. So it’s not enough for the security engineer to stop bad things happening;
`you also have to reassure people. The appearance of protection can matter just
`as much as the reality.
`
`2.3.3 Different Aspects of Mental Processing
`Many psychologists see the mind as composed of interacting rational and
`emotional components — ‘heart’ and ‘head’, or ‘affective’ and ‘cognitive’ sys-
`tems. Studies of developmental biology have shown that, from an early age,
`we have different mental processing systems for social phenomena (such as
`recognising parents and siblings) and physical phenomena. Paul Bloom has
`written a provocative book arguing that the tension between them explains
`why many people are natural dualists — that is, they believe that mind and
`body are basically different [194]. Children try to explain what they see using
`their understanding of physics, but when this falls short, they explain phe-
`nomena in terms of deliberate action. This tendency to look for affective
`
`1In fact, behavioral economics has fostered a streak of libertarian paternalism in the policy world
`that aims at setting good defaults in many spheres. An example is the attempt to reduce poverty
`in old age by making pension plans opt-out rather than opt-in.
`
`Page 26
`
`

`

`2.3 Insights from Psychology Research
`
`27
`
`explanations in the absence of material ones has survival value to the young,
`as it disposes them to get advice from parents or other adults about novel
`natural phenomena. According to Bloom, it has a significant side-effect: it
`predisposes humans to believe that body and soul are different, and thus lays
`the ground for religious belief. This argument may not overwhelm the faithful
`(who can retort that Bloom simply stumbled across a mechanism created by
`the Intelligent Designer to cause us to have faith in Him). But it may have
`relevance for the security engineer.
`First, it goes some way to explaining the fundamental attribution error —
`people often err by trying to explain things by intentionality rather than by
`situation. Second, attempts to curb phishing by teaching users about the gory
`design details of the Internet — for example, by telling them to parse URLs
`in emails that seem to come from a bank — will be of limited value if users
`get bewildered. If the emotional is programmed take over whenever the ratio-
`nal runs out, then engaging in a war of technical measures and countermea-
`sures with the phishermen is fundamentally unsound. Safe defaults would be
`better — such as ‘Our bank will never, ever send you email. Any email that
`purports to come from us is fraudulent.’
`It has spilled over recently into behavioural economics via the affect heuristic,
`explored by Paul Slovic and colleagues [1189]. The idea is that by asking an
`emotional question (such as ‘How many dates did you have last month?’)
`you can get people to answer subsequent questions using their hearts more
`than their minds, which can make people insensitive to probability. This
`work starts to give us a handle on issues from people’s risky behaviour with
`porn websites to the use of celebrities in marketing (and indeed in malware).
`Cognitive overload also increases reliance on affect: so a bank that builds a
`busy website may be able to sell more life insurance, but it’s also likely to
`make its customers more vulnerable to phishing. In the other direction, events
`that evoke a feeling of dread — from cancer to terrorism — scare people more
`than the naked probabilities justify.
`Our tendency to explain things by intent rather than by situation is reinforced
`by a tendency to frame decisions in social contexts; for example, we’re more
`likely to trust people against whom we can take vengeance. (I’ll discuss
`evolutionary game theory, which underlies this, in the chapter on Economics.)
`
`2.3.4 Differences Between People
`Most information systems are designed by men, and yet over half their
`users may be women. Recently people have realised that software can create
`barriers to females, and this has led to research work on ‘gender HCI’ — on
`how software should be designed so that women as well as men can use
`it effectively. For example, it’s known that women navigate differently from
`men in the real world, using peripheral vision more, and it duly turns
`
`Page 27
`
`

`

`28
`
`Chapter 2 ■ Usability and Psychology
`
`out that larger displays reduce gender bias. Other work has focused on
`female programmers, especially end-user programmers working with tools
`like spreadsheets. It turns out that women tinker less than males, but more
`effectively [139]. They appear to be more thoughtful, but lower self-esteem and
`higher risk-aversion leads them to use fewer features. Given that many of the
`world’s spreadsheet users are women, this work has significant implications
`for product design.
`No-one seems to have done any work on gender and security usability, yet
`reviews of work on gender psychology (such as [1012]) suggest many points
`of leverage. One formulation, by Simon Baron-Cohen, classifies human brains
`into type S (systematizers) and type E (empathizers) [120]. Type S people
`are better at geometry and some kinds of symbolic reasoning, while type
`Es are better at language and multiprocessing. Most men are type S, while
`most women are type E, a relationship that Baron-Cohen believes is due to
`fetal testosterone levels. Of course, innate abilities can be modulated by many
`developmental and social factors. Yet, even at a casual reading, this material
`makes me suspect that many security mechanisms are far from gender-neutral.
`Is it unlawful sex discrimination for a bank to expect its customers to detect
`phishing attacks by parsing URLs?
`
`2.3.5 Social Psychology
`This discipline attempts to explain how the thoughts, feelings, and behaviour
`of individuals are influenced by the actual, imagined, or implied presence of
`others. It has many aspects, from the identity that people derive from belonging
`to groups, through the self-esteem we get by comparing ourselves with others.
`It may be particularly useful in understanding persuasion; after all, deception
`is the twin brother of marketing. The growth of social-networking systems will
`lead to peer pressure being used as a tool for deception, just as it is currently
`used as a tool for marketing fashions.
`Social psychology has been entangled with the security world longer than
`many other parts of psychology through its relevance to propaganda, inter-
`rogation and aggression. Three particularly famous experiments in the 20th
`century illuminated this. In 1951, Solomon Asch showed that people could
`be induced to deny the evidence of their own eyes in order to conform to
`a group. Subjects judged the lengths of lines after hearing wrong opinions
`from other group members, who were actually the experimenter’s associates.
`Most subjects gave in and conformed, with only 29% resisting the bogus
`majority [90].
`Stanley Milgram was inspired by the 1961 trial of Adolf Eichmann to
`investigate how many experimental subjects were prepared to administer
`severe electric shocks to an actor playing the role of a ‘learner’ at the behest
`of an experimenter playing the role of the ‘teacher’ — even when the ‘learner’
`
`Page 28
`
`

`

`2.3 Insights from Psychology Research
`
`29
`
`appeared to be in severe pain and begged the subject to stop. This experiment
`was designed to measure what proportion of people will obey an authority
`rather than their conscience. Most will — consistently over 60% of people will
`do downright immoral things if they are told to [888].
`The third of these was the Stanford Prisoner Experiment which showed that
`normal people can behave wickedly even in the absence of orders. In 1971,
`experimenter Philip Zimbardo set up a ‘prison’ at Stanford where 24 students
`were assigned at random to the roles of 12 warders and 12 inmates. The aim
`of the experiment was to discover whether prison abuses occurred because
`warders (and possibly prisoners) were self-selecting. However, the students
`playing the role of warders rapidly became sadistic authoritarians, and the
`experiment was halted after six days on ethical grounds [1377].
`Abuse of authority, whether real or ostensible, is a major issue for people
`designing operational security measures. During the period 1995–2005, a
`hoaxer calling himself ‘Officer Scott’ ordered the managers of over 68 US
`stores and restaurants in 32 US states (including at least 17 McDonalds’ stores)
`to detain some young employee on suspicion of theft and strip-search her or
`him. Various other degradations were ordered, including beatings and sexual
`assaults [1351]. A former prison guard was tried for impersonating a police
`officer but acquitted. At least 13 people who obeyed the caller and did searches
`were charged with crimes, and seven were convicted. MacDonald’s got sued
`for not training its store managers properly, even years after the pattern of
`hoax calls was established; and in October 2007, a jury ordered McDonalds
`to pay $6.1 million dollars to Louise Ogborn, one of the victims, who had
`been strip-searched when an 18-year-old employee. It was an unusually nasty
`case, as the victim was then left by the store manager in the custody of
`her boyfriend, who forced her to perform oral sex on him. The boyfriend
`got five years, and the manager pleaded guilty to unlawfully detaining
`Ogborn. When it came to the matter of damages, McDonalds argued that
`Ogborn was responsible for whatever damages she suffered for not realizing
`it was a hoax, and that the store manager had failed to apply common
`sense. A Kentucky jury didn’t buy this and ordered McDonalds to pay up.
`The store manager also sued, saying she too was the victim of McDonalds’
`negligence to warn her of the hoax, and got $1.1 million [740]. So as of
`2007, US employers seem to have a legal duty to train their staff to resist
`pretexting.
`But what about a firm’s customers? There is a lot of scope for phishermen
`to simply order bank customers to reveal their security data. Bank staff
`routinely tell their customers to do this, even when making unsolicited calls.
`I’ve personally received an unsolicited call from my bank saying ‘Hello, this
`is Lloyds TSB, can you tell me your mother’s maiden name?’ and caused the
`caller much annoyance by telling her to get lost. Most people don’t, though.
`ATM card thieves already called their victims in the 1980s and, impersonating
`
`Page 29
`
`

`

`30
`
`Chapter 2 ■ Usability and Psychology
`
`bank or police officers, have ordered them to reveal PINs ‘so that your card can
`be deactivated’. The current scam — as of December 2007 — is that callers who
`pretend to be from Visa say they are conducting a fraud investigation. After
`some rigmarole they say that some transactions to your card were fraudulent,
`so they’ll be issuing a credit. But they need to satisfy themselves that you are
`still in possession of your card: so can you please read out the three security
`digits on the signature strip? A prudent system designer will expect a lot more
`of this, and will expect the courts to side with the customers eventually. If you
`train your customers to do something that causes them to come to harm, you
`can expect no other outcome.
`Another interesting offshoot of social psychology is cognitive dissonance
`theory. People are uncomfortable when they hold conflicting views; they
`seek out information that confirms their existing views of the world and
`of themselves, and try to reject information that conflicts with their views
`or might undermine their self-esteem. One practical consequence is that
`people are remarkably able to persist in wrong courses of action in the
`face of mounting evidence that things have gone wrong [1241]. Admitting
`to yourself or to others that you were duped can be painful; hustlers know
`this and exploit it. A security professional should ‘feel the hustle’ — that
`is, be alert for a situation in which recently established social cues and
`expectations place you under pressure to ‘just do’ something about which
`you’d normally have reservations, so that you can step back and ask yourself
`whether you’re being had. But training people to perceive this is hard enough,
`and getting the average person to break the social flow and say ‘stop!’ is
`really hard.
`
`2.3.6 What the Brain Does Better Than the Computer
`Psychology isn’t all doom and gloom for our trade, though. There are tasks
`that the human brain performs much better than a computer. We are extremely
`good at recognising other humans visually, an ability shared by many primates.
`We are good at image recognition generally; a task such as ‘pick out all scenes
`in this movie where a girl rides a horse next to water’ is trivial for a human
`child yet a hard research problem in image processing. We’re also better than
`machines at understanding speech, particularly in noisy environments, and at
`identifying speakers.
`These abilities mean that it’s possible to devise tests that are easy for humans
`to pass but hard for machines — the so-called ‘CAPTCHA’ tests that you often
`come across when trying to set up an online account or posting to a bulletin
`board. I will describe CAPTCHAs in more detail later in this chapter. They are
`a useful first step towards introducing some asymmetry into the interactions
`between people and machines, so as to make the bad guy’s job harder than the
`legitimate user’s.
`
`Page 30
`
`

`

`2.4 Passwords
`
`31
`
`2.4 Passwords
`
`In this section, I will focus on the management of passwords as a simple,
`important and instructive context in which usability, applied psychology and
`security meet. Passwords are one of the biggest practical problems facing
`security engineers today. In fact, as the usability researcher Angela Sasse puts
`it, it’s hard to think of a worse authentication mechanism than passwords, given
`what we know about human memory: people can’t remember infrequently-
`used, frequently-changed, or many similar items; we can’t forget on demand;
`recall is harder than recognition; and non-meaningful words are more difficult.
`The use of passwords imposes real costs on business: the UK phone company
`BT has a hundred people in its password-reset centre.
`There are system and policy issues too: as people become principals in more
`and more electronic systems, the same passwords get used over and over
`again. Not only may attacks be carried out by outsiders guessing passwords,
`but by insiders in other systems. People are now asked to choose passwords
`for a large number of websites that they visit rarely. Does this impose an
`unreasonable burden?
`Passwords are not, of course, the only way of authenticating users to
`systems. There are basically three options. The person may retain physical
`control of the device — as with a remote car door key. The second is that
`she presents something she knows, such as a password. The third is to use
`something like a fingerprint or iris pattern, which I’ll discuss in the chapter
`on Biometrics. (These options are commonly summed up as ‘something you
`have, something you know, or something you are’ — or, as Simson Garfinkel
`engagingly puts it, ‘something you had once, something you’ve forgotten, or
`something you once were’.) But for reasons of cost, most systems take the
`second option; and even where we use a physical token such as a one-time
`password generator, it is common to use another password as well (whether
`to lock it, or as an additional logon check) in case it gets stolen. Biometrics are
`also commonly used in conjunction with passwords, as you can’t change your
`fingerprint once the Mafia gets to know it. So, like it or not, passwords are the
`(often shaky) foundation on which much of information security is built.
`Some passwords have to be ‘harder’ than others, the principal reason being
`that sometimes we can limit the number of guesses an opponent can make
`and sometimes we cannot. With an ATM PIN, the bank can freeze the account
`after three wrong guesses, so a four-digit number will do. But there are many
`applications where it isn’t feasible to put a hard limit on the number of guesses,
`such as where you encrypt a document with a password; someone who gets
`hold of the ciphertext can try passwords till the cows come home. In such
`applications, we have to try to get people to use longer passwords that are
`really hard to guess.
`
`Page 31
`
`

`

`32
`
`Chapter 2 ■ Usability and Psychology
`
`In addition to things that are ‘obviously’ passwords, such as your computer
`password and your bank card PIN, many other things (and combinations of
`things) are used for the same purpose. The most notorious are social security
`numbers, and your mother’s maiden name, which many organisations use to
`recognize you. The ease with which such data can be guessed, or found out
`from more or less public sources, has given rise to a huge industry of so-called
`‘identity theft’ [458]. Criminals obtain credit cards, mobile phones and other
`assets in your name, loot them, and leave you to sort out the mess. In the USA,
`about half a million people are the ‘victims’ of this kind of fraud each year2.
`So passwords matter, and managing them is a serious real world problem
`that mixes issues of psychology with technical issues. There are basically three
`broad concerns, in ascending order of importance and difficulty:
`
`1. Will the user enter the password correctly with a high enough
`probability?
`2. Will the user remember the password, or will they have to either write it
`down or choose one that’s easy for the attacker to guess?
`3. Will the user break the system security by disclosing the password
`to a third party, whether accidentally, on purpose, or as a result of
`deception?
`
`2.4.1 Difficulties with Reliable Password Entry
`
`Our first human-factors issue is that if a password is too long or complex,
`users might have difficulty entering it correctly. If the operation they are
`trying to perform is urgent, this might have safety implications. If customers
`have difficulty entering software product activation codes, this can generate
`expensive calls to your support desk.
`One application in which this is important is encrypted access codes. By
`quoting a reservation number, we get access to a hotel room, a rental car
`or an airline ticket. Activation codes for software and other products are
`often alphanumeric representations of encrypted data, which can be a 64-bit
`or 128-bit string with symmetric ciphers and hundreds of bits when public-
`key cryptography is used. As the numbers get longer, what happens to the
`error rate?
`
`2I write ‘identity theft’ in quotes as it’s a propaganda term for the old-fashioned offence of
`impersonation. In the old days, if someone went to a bank, pretended to be me, borrowed money
`from them and vanished, then that was the bank’s problem, not mine. In the USA and the UK,
`banks have recently taken to claiming that it’s my identity that’s been stolen rather than their
`money, and that this somehow makes me liable. So I also parenthesise ‘victims’ — the banks are
`the real victims, except insofar as they commit secondary fraud against the customer. There’s an
`excellent discussion of this by Adam Shostack and Paul Syverson in [1166].
`
`Page 32
`
`

`

`2.4 Passwords
`
`33
`
`An interesting study was done in South Africa in the context of prepaid
`electricity meters used to sell electricity in areas where the customers have no
`credit rating and often not even an address. With the most common make of
`meter, the customer hands some money to a sales agent, and in return gets
`one or more 20-digit numbers printed out on a receipt. He takes this receipt
`home and enters the numbers at a keypad in his meter. These numbers are
`encrypted commands, whether to dispense electricity, to change the tariff or
`whatever; the meter decrypts them and acts on them.
`When this meter was introduced, its designers worried that since a third
`of the population was illiterate, and since people might get lost halfway
`through entering the number, the system might be unusable. But it turned
`out that illiteracy was not a problem: even people who could not read had
`no difficulty with numbers (‘everybody can use a phone’, as one of the
`engineers said). Entry errors were a greater problem, but were solved by
`printing the twenty digits in two rows, with three and two groups of four
`digits respectively [59].
`A quite different application is the firing codes for U.S. nuclear weapons.
`These consist of only 12 decimal digits. If they are ever used, the operators
`may be under extreme stress, and possibly using improvised or obsolete
`communications channels. Experiments suggested that 12 digits was the
`maximum that could be conveyed reliably in such circumstances.
`
`2.4.2 Difficulties with Remembering the Password
`Our second psychological issue with passwords is that people often find them
`hard to remember [245, 1379]. Twelve to twenty digits may be fine when they
`are simply copied from a telegram or a meter ticket, but when customers are
`expected to memorize passwords, they either choose values which are easy for
`attackers to guess, or write them down, or both. In fact, the password problem
`has been neatly summed up as: ‘‘Choose a password you can’t remember, and
`don’t write it down.’’
`The problems are not limited to computer access. For example, one chain of
`hotels in France introduced completely unattended service. You would turn
`up at the hotel, swipe your credit card in the reception machine, and get a
`receipt with a numerical access code which would unlock your room door. To
`keep costs down, the rooms did not have en-suite bathrooms, so guests had to
`use communal facilities. The usual failure mode was that a guest, having gone
`to the bathroom, would forget his access code. Unless he had taken the receipt
`with him, he’d end up having to sleep on the bathroom floor until the staff
`arrived the following morning.
`Problems related to password memorability can be discussed under four
`main headings: naive password choice, user abilities and training, design
`errors, and operational failures.
`
`Page 33
`
`

`

`34
`
`Chapter 2 ■ Usability and Psychology
`
`2.4.3 Naive Password Choice
`Since at least the mid-1980s, people have studied what sort of passwords are
`chosen by users who are left to their own devices. The results are depressing.
`People will use spouses’ names, single letters, or even just hit carriage return
`giving an empty string as their password. So some systems started to require
`minimum password lengths, or even check user entered passwords against a
`dictionary of bad choices. However, password quality enforcement is harder
`than you might think. Fred Grampp and Robert Morris’s classic paper on
`Unix security [550] reports that after software became available which forced
`passwords to be at least six characters long and have at least one nonletter,
`they made a file of the 20 most common female names, each followed by a
`single digit. Of these 200 passwords, at least one was in use on each of several
`dozen machines they examined.
`A well-known study was conducted by Daniel Klein who gathered 25,000
`Unix passwords in the form of encrypted password files and ran cracking
`software to guess them [720]. He found that 21–25% of passwords could be
`guessed depending on the amount of effort put in. Dictionary words accounted
`for 7.4%, common names for 4%, combinations of user and account name 2.7%,
`and so on down a list of less probable choices such as words from science
`fiction (0.4%) and sports terms (0.2%). Some of these were straighforward
`dictionary searches; others used patterns. For example, the algorithm for
`constructing combinations of user and account names would take an account
`‘klone’ belonging to the user ‘Daniel V. Klein’ and try passwords such as klone,
`klone1, klone 123, dvk, dvkdvk, leinad, neilk, DvkkvD, and so on.
`Many firms require users to change passwords regularly, but this tends
`to backfire. According to one report, when users were compelled to change
`their passwords and prevented from using the previous few choices, they
`changed passwords rapidly to exhaust the history list and get back to their
`favorite password. A response, of forbidding password changes until after
`15 days, meant that users couldn’t change compromised passwords without
`help from an administrator [1008]. A large healthcare organisation in England
`is only now moving away from a monthly change policy; the predictable result
`was a large number of password resets at month end (to cope with which,
`sysadmins reset passwords to a well-known value). In my own experience,
`insisting on alphanumeric passwords and also forcing a password change once
`a month led people to choose passwords such as ‘julia03’ for March, ‘julia04’
`for April, and so on.
`So when our university’s auditors write in their annual report each year that
`we should have a policy of monthly enforced password change, my response
`is to ask the chair of our Audit Committee when we’ll get a new lot of auditors.
`Even among the general population, there is some evidence that many peo-
`ple now choose slightly better passwords; passwords retrieved from phishing
`
`Page 34
`
`

`

`2.4 Passwords
`
`35
`
`sites typically contain numbers as well as letters, while the average password
`length has gone up from six to eight characters and the most common pass-
`word is not ‘password’ but ‘password1’ [1130]. One possible explanation is that
`many people try to use the same password everywhere, and the deployment
`of password checking programs on some websites trains them to use longer
`passwords with numbers as well as letters [302].
`
`2.4.4 User Abilities and Training
`Sometimes you really can train users. In a corporate or military environment
`you can try to teach them to choose good passwords, or issue them with
`random passwords, and insist that passwords are treated the same way as the
`data they protect. So bank master passwords go in the vault overnight, while
`military ‘Top Secret’ passwords must be sealed in an envelope, in a safe, in a
`room that’s locked when not occupied, in a building patrolled by guards. You
`can run back