[Sigia-l] Password usability

Fri Dec 10 18:21:49 EST 2010

On 10 December 2010 20:28, Skot Nelson <skot at penguinstorm.com> wrote:

>Jayson's original point about the difference between *allowing* characters
and *requiring*
>characters is really quite reasonable.

Sometimes you have to just have to give in and let stupidity run its course.
If I were you though, I'd look for a way of measuring the harm of that
stupidity, and grasp it with both hands.

Jayson's predicament supports the view that if "security specialists" had an
even an ounce of user-centred design in their universe we'd have a heck of a
lot more security going on. Instead, they seem to treat humans like so many
packets transmitted across a wire.

In an effort (very badly) answer Jayson's question, and since this list has
been a total desert of late, let me repeat one of the more fascinating
stories from the world of "IT security" recounted at a lecture I attended
about human factors in security a while ago (dates and numbers from rough
notes and rather bad memory).

In about 1995, British Telecom had a call centre in Edinburgh of 200
operatives, 5 of whom were dedicated *exclusively* to re-setting passwords
for BT employees world wide. By 2002, this group had expanded to about 15,
and by 2008 it had reached almost 30. Meanwhile, the size of the rest of the
call centre remained pretty constant.

During an internal cost-saving audit in 2008, projections for the expansion
of this group of 24/7 call centre operatives that did nothing other than
re-set employees' lost passwords was found to be running at 100 people by
2012. Not surprisingly, a very loud whistle began to blow.

So it fell to the accountants, and not any "security specialists" to
initiate a project for a multi-million pound single sign-on system across
the bulk of BT's internal systems. Investigation at the time found the
average BT phone engineer in the field needed to know about 8-12 separate
passwords to do their jobs, and a further 5 for peripheral systems. Some
employees needed up to 25 passwords to be effective.

Another wonderful story recounted was of an American bank that changed its
logo. As part of that change, they replaced the plastic fascias of is ATM
machines across the country. As they rolled out the new facias, they noticed
regional spikes in people contacting them to request new cash cards and to
re-set PIN numbers. The bank found out that many of these people had written
their PIN numbers onto the fascia of their local cash machines. Indeed, if
you look closely at many cash machines around the world today, you will
quite often find 4-digit numbers discreetly inscribed somewhere on them.

I could also tell the story of how security specialists devised a protocol
called "3D Secure" to form the basis of the "Verified By Visa" online credit
card authorisation system. This resulted in a system that was I'm sure
technically sound, but ludicrously insecure because it effectively makes
banks phish their own customers. Almost at a stroke, 3D Secure has probably
set the cause of on line security back perhaps a whole generation by
encouraging people to accept broken trust models when transacting on line.
This is of course amply aided by Facebook asking for your Gmail password to
add friends to your network (Don't worry, we won't save your password. But
Firesheep, <http://codebutler.com/firesheep> or perhaps just a malicious FB
app, will).

Wow that was cathartic. Anyone else got any security horror UX stories to
tell? I was on a roll there.

Jonathan