Home > Uncategorized > Human Factors in Information Security – Part 3

Human Factors in Information Security – Part 3

In this series of blog entries I’ve been discussing human factors engineering in information security, why it is so important, and the kinds of usability engineering flaws that can be found in so many information security tools. I’d like to shift gears a bit, so to speak, and talk about some usability issues related to passwords. Before I go any farther, I need to apologize for bringing up the topic of passwords, which I believe are (because of the many inherent exposures associated with them) little more than a dead end from a security point of view. But for various reasons, unfortunately, passwords are likely to continue to be used in authentication for the foreseeable future, whether we like it or not.

We all know that passwords are typically incredibly easy to crack. If you do not believe this, try running Rainbow Crack against passwords for a Windows system or domain. This tool is unbelievably deadly in its success rate, yet it is only one of a number of tools of this caliber that are freely available on the Internet. Using more difficult passwords lowers Rainbow Crack’s and other cracking tools’ success rate, but there is an associated cost to users—difficulty in remembering more difficult passwords. Years ago someone came up with a potentially very good idea—using passphrases instead of conventional passwords. So, for example, the phrase “Take me out to the ball game, take me out to the crowd” could be used to produce the password “Tmottbgtmottc.” This password would be much more difficult to crack than a dictionary word of the same length, and (at least in theory) remembering this password would be considerably easier, since phrases are easier to remember than are arbitrary character strings.

Not so fast, however! Although I’d be willing to bet that most information security professionals believe that passphrases are more difficult to crack, but much easier to remember than other types of difficult passwords, empirical research does not completely support this belief. Vu, Tai, Bhargav, Schultz and Proctor conducted several studies to resolve this issue. Users had to create sentences and then use the first letters of each word in the sentences to generate passwords. In theory, password recall as well as passwords’ ability to resist cracking should both have been increased. However, results demonstrated that creating sentences produced significantly more crack-resistant passwords only when users were instructed to include a digit and special character into the sentence (and, therefore, also in the password). These results show just how powerful today’s generation of password cracking tools is; they are so powerful that passphrases in and of themselves are no particular problem for them to crack. And there was a cost to including a digit and special character in passphrases; doing this lowered ability to remember passwords during both short-term and long-term recall. Furthermore, embedding digits and special characters significantly increased the time it took to create passwords. The results of these studies show that conventional passphrases do not necessarily improve resistance to cracking, and that when they are “beefed up” by including a digit and special character in them, they become more difficult to crack, but memorability declines. Overall, these results show that a tradeoff between choosing strong passwords and memorability.

Because using passphrases is so highly revered in information security, I am quite confident that there will be some negative reactions to what I have presented. I can only say that empirical results should be revered more than long-held beliefs. Science, not dogma, should guide our thinking whenever possible. Additionally, I am not advising anyone to quit requiring that passphrases be used. I am only saying what I have been saying all along—before you go with passphrases or any other kind of security control measure, be sure to carely look at the associated costs and benefits, making sure that strongly consider usability engineering considerations when you are assessing both.


By the way, if you want to read the write-up of the Vu, Tai, Bhargav, Schultz and Proctor studies, here is the reference:

Vu, Kim-Phuong L., Tai, Bik-Lam, Bhargav, Abhilasha, Schultz, E. Eugene and Proctor, Robert W., Promoting memorability and security of passwords through sentence generation. Proceedings of the Human Factors and Ergonomics Society’s 48th Annual Meeting, September 2004.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.