Abstract
Picking good passwords is a cornerstone of computer security. Yet already since the early days (e.g. The Stockings Were Hung by the Chimney with Care from 1973; we have also borrowed our title from the 1995 movie Hackers), insecure passwords have been a major liability. Ordinary users want simple and fast solutions – they either choose a trivial (to remember and to guess) password, or pick a good one, write it down and stick the paper under the mouse pad, inside the pocket book or to the monitor. They are also prone to reflecting their personal preferences in their password choices, providing telling hints online and giving them out on just a simple social engineering attack. Kevin Mitnick has said that security is not a product that can be purchased off the shelf, but consists of policies, people, processes, and technology. This applies fully to password security as well. We studied several different groups (students, educators, ICT specialists etc – more than 300 people in total) and their password usage. The methods included password practices survey, password training sessions, discussions and also simulated social engineering attacks (the victims were informed immediately about their mistakes).
We suggest that password training should be adjusted for different focus groups. For example, we found that schoolchildren tend to grasp new concepts faster – often, a simple explanation is enough to improve the password remarkably. Thus, we would stress the people and process aspects of the Mitnick formula mentioned above.At the same time, many officials and specialists tend to react to password training with dismissal and scorn (our study suggests that ’you cannot guess my password’ is an alarmingly common mindset). Examples like ’admin’, ’Password’, ’123456’ etc have occurred even at qualified security professionals, more so at educators. Yet, as Estonia is increasingly relying on the E-School system, these passwords are becoming a prime target. Therefore, for most adult users we suggest putting the emphasis on policy and technology aspects (strict, software-enforced lower limits of acceptable password length, character variability checks, but also clearly written rulesets etc).
Chapter PDF
Similar content being viewed by others
References
Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. People and Computers, 1–20 (1997)
Belgers, W.: UNIX password security (1993) (retrieved July, 1, 2009)
Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Applied Cognitive Psychology 18(6), 641–651 (2004)
Burnett, M.: Ten Windows Password Myths. Online Document (2002), http://www.securityfocus.com/infocus/1554
Cazier, J., Medlin, D.: Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times. Information Systems Security (1065-898X) 15(6), 45 (2006)
Charoen, D., Raman, M., Olfman, L.: Improving End User Behaviour in Password Utilization: An Action Research Initiative. Systemic Practice and Action Research 21(1), 55–72 (2008)
Chaumont, S.: Security Awareness Training: Passwords. Illinois banker (0019-185X) 97(11), 13 (2012)
King, D.: Unforgettable Passwords. American libraries (Chicago, Ill.) (0002-9769) 43(11/12), 57 (2012)
Kulkarni, D.: A Novel Web-based Approach for Balancing Usability and Security Requirements of Text Passwords. International Journal of Network Security & its Applications (0975-2307) 2(3), 1 (2010)
Malempati, S., Mogalla, S.: Enhanced Authentication Schemes for Intrusion Prevention using Native Language Passwords. International Journal of Computer Science Issues (IJCSI) (1694-0784) 8(4), 356 (2011)
Metcalfe, B.: The Stockings Were Hung by the Chimney with Care. RFC 602 (1973), http://tools.ietf.org/html/rfc602
O’Gorman, L.: Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE 91(12), 2021–2040 (2003)
Rubin, A.D.: Independent one-time passwords. Computing Systems 9(1), 15–27 (1996)
Vinter, K., Siibak, A., Kruuse, K.: Meedia mõjud ja meediakasvatus eelkoolieas. Haridus 4, 11 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lorenz, B., Kikkas, K., Klooster, A. (2013). “The Four Most-Used Passwords Are Love, Sex, Secret, and God”: Password Security and Training in Different User Groups. In: Marinos, L., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2013. Lecture Notes in Computer Science, vol 8030. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39345-7_29
Download citation
DOI: https://doi.org/10.1007/978-3-642-39345-7_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39344-0
Online ISBN: 978-3-642-39345-7
eBook Packages: Computer ScienceComputer Science (R0)