Re: [IxDA Discuss] password strength usability studies?
I think my recommendation is going to be a weak-medium-strong entropy indicator that takes dictionary words into account I was user testing a sign-up form that included a password strength indicator recently. It had three states Too Short (which prevented users from submitting the form), Weak and Strong. The only users who paid any attention to the strength indicator were those who initially chose a password which was Too Short and all they did was add a few characters until the display changed to Weak then resubmit the form. Only one out of 6 users ended up choosing a password which was Strong and that didn't appear to be as a result of using the password strength indicator. Tamlyn. Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
Hi, I would definitely consider enforcing pass phrases. At Coding Horrorhttp://www.codinghorror.com/blog/archives/000342.htmlyou can find a lot of information regarding password and security both from a technical standpoint (never store the password, just the salted hash) and from the users standpoint. I now use phrases everywhere and it's both easy to remember and easy to modify for each site. My biggest problem now is that many sites and prevents longer phrases and stops at 10-15 characters, and don't allow spaces. A secure policy like 8 letter, special characters, with the addition of forcing the user to change every 30/60/90 days. Always leads to the simplest possible password like Computer001!, Computer002!, etc. It follows the rules but are extremely easy to brute force hack. I think that graphical security is harder to handle at the moment because people are not as used to work with them but it might change over time. Regards --- Håkan Reis Dotway AB +46(768)510033 My blog || http://blog.reis.se My company || http://dotway.se Our conference || http://oredev.org - See you in 2008 On Sat, Sep 20, 2008 at 00:14, Calvin [EMAIL PROTECTED] wrote: Not sure if I am totally off-topic, but speaking of password, I have got a couple pretty cool and secure ideas about authentication which I heard from a podcast called Security Now. The Perfect Paper Password (http://www.grc.com/securitynow.htm episode #115 and #117) Is an open-source program that can generate a bunch of one-time only PINs that is meant to be printed on a paper and kept in your wallet. The Ubikey (http://www.grc.com/securitynow.htm Episode #143) a tiny USB dougle that has only one button on it that generates a one time PIN when pressed. The authentication engine is totally open-source and free. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Posted from the new ixda.org http://www.ixda.org/discuss?post=33174 Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
I haven't seen this posted yet, Bruce Schneier on how to pick a secure password. Some good information in here, and while he's not a usability expert, Schneier totally gets the security-vs-usability problem: http://www.schneier.com/blog/archives/2007/01/choosing_secure.html -- jet / KG6ZVQ http://www.flatline.net pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8 Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
Meredeth, I don't know if this is too 'James Bond' for you or if I'm just totally crazy, but I designed this image for you to look at. Being in the military and working in several police stations I have witnessed high security-guarded areas including Parameter-based Access Stations. (Pass the yellow line while someone else is gaining entry and you will literally be shot) I'm sure you've heard of Graphical Password techniques, many real-life industrial designers use them for such things as gaining entry to a department, car or to execute a certain action on a control panel or cockpit. Graphical Passwords are still not widely used but there are several advantages to it. (Please note that the wording, character symbols, colours, etc., are simply there to serve as an example.) Advantages are: 1. The user is able to physically see their pad-selection 2. It is impossible for an intruder to know how many characters are needed (Whether it's 8, 9, 10, 11, 12, 13, 14, 15, 16 digits long) 3. User is prompted to pay attention due to the 24 hour lockdown possibility 4. User has been informed that their IP address has been recorded 5. User has been informed that they only have 2 chances to enter 6. The character symbols can be whatever the team decides for it to be 7. Physical combinations are easier to remember then straight jargon password (e.g., someone can punch in a pattern of a cross, or 'V' shaped symbol) I have not thoroughly investigated this, and I'm not totally sure what the disadvantages are. Maybe we can open this up for discussion? I hope this has been a form of help or inspiration to you. attachment: meredeth.gif Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
people could easily watch you over your shoulder Just use the yellow line Meredeth...the good ol yellow line! You are absolutely right about your points of disadvantages. Remember, my example comes from actual military experience. 1. No one can cross the yellow line or you'll get shot so there's no problem with anyone looking. 2. Security clearance is way to high for hackers or foreign intruders to enter premises 3. Passwords have no personal meaning so you either remember or get charged for forgetting. By the way I never had any personal clearance for this kind of thing. But I witnessed it regularly. Like I said, I have not studied this through but I do hope that there is a solution in graphical form simply because I (personally) relate to graphics and symbols. Whatever your solution is, I would be really interested in hearing about it. Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
Not sure if I am totally off-topic, but speaking of password, I have got a couple pretty cool and secure ideas about authentication which I heard from a podcast called Security Now. The Perfect Paper Password (http://www.grc.com/securitynow.htm episode #115 and #117) Is an open-source program that can generate a bunch of one-time only PINs that is meant to be printed on a paper and kept in your wallet. The Ubikey (http://www.grc.com/securitynow.htm Episode #143) a tiny USB dougle that has only one button on it that generates a one time PIN when pressed. The authentication engine is totally open-source and free. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Posted from the new ixda.org http://www.ixda.org/discuss?post=33174 Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
[IxDA Discuss] password strength usability studies?
Does anyone know of any studies that weigh various password strength requirements (e.g. minimum 8 characters, one capital letter, one number of symbol) with users' ability to remember the passwords? Or, on a more practical level, reports that track password strength requirements vs. increased calls to support / password reset requests? My client wants increased security, but I don't want the users to go nuts. Trying to find a happy medium. Also, have you ever had a website ask you to change your password (long after you originally registered)? Did it hugely annoy you or were you pleased that they were tightening up? Meredith - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Meredith Noble Information Architect, Usability Matters Inc. 416.598.7770 x16 [EMAIL PROTECTED] http://www.usabilitymatters.com http://www.usabilitymatters.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
Hi Meredith, There is a lot of information in the area. In the 70's IBM did a lot of research on this (as well as others). It mostly came out of IT and human factors publications. I would imagine that in the era of homeland security this is getting some additional funding. When I worked in this field, we used to explain that usability and security, at the extremes were two opposite ends of a continuum. Adding to one nearly always compromised the other. I know it is a bit simplistic, but it works as a quick explaination. If you can get access to Forresters, I know they have a pile of info on the topic, sorry I can't give you anything specific right now. Mark On Fri, Sep 19, 2008 at 10:00 AM, Meredith Noble [EMAIL PROTECTED] wrote: Does anyone know of any studies that weigh various password strength requirements (e.g. minimum 8 characters, one capital letter, one number of symbol) with users' ability to remember the passwords? Or, on a more practical level, reports that track password strength requirements vs. increased calls to support / password reset requests? My client wants increased security, but I don't want the users to go nuts. Trying to find a happy medium. Also, have you ever had a website ask you to change your password (long after you originally registered)? Did it hugely annoy you or were you pleased that they were tightening up? Meredith - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Meredith Noble Information Architect, Usability Matters Inc. 416.598.7770 x16 [EMAIL PROTECTED] http://www.usabilitymatters.com http://www.usabilitymatters.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
When I worked in this field, we used to explain that usability and security, at the extremes were two opposite ends of a continuum. Adding to one nearly always compromised the other. I know it is a bit simplistic, but it works as a quick explaination. Thanks, Mark. I am quite familiar with the usability-security continuum, but I'm surprised as how few sites out there have concrete recommendations on where the best place along the continuum is. I guess it's still too controversial, but surely someone out there has some opinions on what the best password policy is, trading off complexity / time to hack and ability for users to remember. Perhaps, as you say, they're all lurking in Forrester, which, sadly, I don't have access to! Another person replied to me privately with the following blog post: http://www.baekdal.com/articles/usability/password-security-usability/ The author talks about how long it would take a hacker to break certain passwords. It's easy to calculate how long brute force attacks might take, but it gets scary when you look at dictionary attacks. I think my recommendation is going to be a weak-medium-strong entropy indicator that takes dictionary words into account, plus restricting the number of attempts the user can make within a time period. I am EXTREMELY worried about forcing high entropy on people though... so that's where I start sighing. Sigh. Meredith Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
Well, the reality of the stringent password policy issue is that people will find lazy workarounds unless they are invested in the liability. Meaning... if it is their credit card that will be used, they 'may' be concerned and motivated. I did quite a bit of ethnography on this and collected a gallery of images - sticky notes under keyboards, behind monitors, etc... the computer equivalent of putting the car keys in the visor. The company was in the business of offering a two factor authentication solution so we weren't particularly interested in solving the specific usability problem of passwords, but instead worked to solve the overarching problem with a hardware component. If I can help any further Meredith, just let me know. Mark On Fri, Sep 19, 2008 at 1:38 PM, Meredith Noble [EMAIL PROTECTED] wrote: When I worked in this field, we used to explain that usability and security, at the extremes were two opposite ends of a continuum. Adding to one nearly always compromised the other. I know it is a bit simplistic, but it works as a quick explaination. Thanks, Mark. I am quite familiar with the usability-security continuum, but I'm surprised as how few sites out there have concrete recommendations on where the best place along the continuum is. I guess it's still too controversial, but surely someone out there has some opinions on what the best password policy is, trading off complexity / time to hack and ability for users to remember. Perhaps, as you say, they're all lurking in Forrester, which, sadly, I don't have access to! Another person replied to me privately with the following blog post: http://www.baekdal.com/articles/usability/password-security-usability/ The author talks about how long it would take a hacker to break certain passwords. It's easy to calculate how long brute force attacks might take, but it gets scary when you look at dictionary attacks. I think my recommendation is going to be a weak-medium-strong entropy indicator that takes dictionary words into account, plus restricting the number of attempts the user can make within a time period. I am EXTREMELY worried about forcing high entropy on people though... so that's where I start sighing. Sigh. Meredith Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
Okay, this isn't strictly speaking about password usability...but it's an issue that concerns me. It's my belief that this represents the usability end of the continuum. My bank (yes, that's right...my *bank*) uses a method that they swear is extremely difficult to hack (in fact, the switched over to this system for enhanced security purposes): you enter your account number, press login, and you're taken to a page that has your password embedded in a graphic (a pretty background picture that you get to choose) as a graphic...in case that's hard for you to read, it appears in text below the graphic. typing in that password gives you full access to all banking capabilities. You can't use anything but alphanumeric characters in your password; they insist on one number. Can anyone here see *anything* about this that qualifies as security? It seems to me that all I have to do is write a check to one untrustworthy person, get my purse stolen, apply for direct deposit with an $8./hr clerk with an attitude and I'm hosed. Katie At 1:52 PM -0400 9/19/08, mark schraad wrote: Well, the reality of the stringent password policy issue is that people will find lazy workarounds unless they are invested in the liability. Meaning... if it is their credit card that will be used, they 'may' be concerned and motivated. I did quite a bit of ethnography on this and collected a gallery of images - sticky notes under keyboards, behind monitors, etc... the computer equivalent of putting the car keys in the visor. The company was in the business of offering a two factor authentication solution so we weren't particularly interested in solving the specific usability problem of passwords, but instead worked to solve the overarching problem with a hardware component. If I can help any further Meredith, just let me know. Mark On Fri, Sep 19, 2008 at 1:38 PM, Meredith Noble [EMAIL PROTECTED] wrote: When I worked in this field, we used to explain that usability and security, at the extremes were two opposite ends of a continuum. Adding to one nearly always compromised the other. I know it is a bit simplistic, but it works as a quick explaination. Thanks, Mark. I am quite familiar with the usability-security continuum, but I'm surprised as how few sites out there have concrete recommendations on where the best place along the continuum is. I guess it's still too controversial, but surely someone out there has some opinions on what the best password policy is, trading off complexity / time to hack and ability for users to remember. Perhaps, as you say, they're all lurking in Forrester, which, sadly, I don't have access to! Another person replied to me privately with the following blog post: http://www.baekdal.com/articles/usability/password-security-usability/ The author talks about how long it would take a hacker to break certain passwords. It's easy to calculate how long brute force attacks might take, but it gets scary when you look at dictionary attacks. I think my recommendation is going to be a weak-medium-strong entropy indicator that takes dictionary words into account, plus restricting the number of attempts the user can make within a time period. I am EXTREMELY worried about forcing high entropy on people though... so that's where I start sighing. Sigh. Meredith Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help -- Katie Albers, Senior Director Web-Based Services Mary-Margaret Network Find. Grow. Work. Play. +1 310 356 7550 (voice) +1 877 662 3777 x 709 [EMAIL PROTECTED] http://www.mary-margaret.com Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] password strength usability studies?
Brett brings up another possibility - has anyone ever implemented passphrases or graphical passwords on their websites? I've never seen them on the web (only in non-web applications, like passphrases for WEP keys). I'm curious if there are any downsides to passphrases in particular. I don't think I would force users to use a passphrase, but I'm interested in suggesting it to them as a more secure option. (I doubt my client has the resources for a graphical password system at this point.) Brett, just to play devil's advocate, the downsides to your proposed system seem to be: - only 28 potential characters -- so there are only 28^L possibilities for the password (where L is the length of the password), whereas a regular keyboard gives you 96^L possibilities (although L could be left open, most users would probably keep it fairly low so they could more easily remember the password) - people could easily watch you over your shoulder - hackers could probably try patterns first - Vs, Ls, etc. - because not all letters / numbers are available, you can't create a password with much personal meaning to you. Meredith Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help