1. The four most-used passwords are love, sex, secret, and God: password security and training in different user groups Kaido Kikkas Birgy Lorenz Aare Klooster Estonian IT College Tallinn University Tallinn University & Tallinn University c Kaido Kikkas 2013. This document is distributed under the Creative Commons Attribution-ShareAlike 3.0 Estonia license.

2. This thing's got a beard The first widespread notion about password security (or lack thereof) The Stockings Were Hung by the Chimney with Care by Bob Metcalfe from 1973 (RFC602) An even earlier case described by Richard M. Stallman from the MIT AI Lab in the 60s The quote with four common passwords comes from the movie Hackers from 1990 (yes, the one with geeky Angelina Jolie) 3. The Infamous Dumbuser (a.k.a. Ordinary Joe/Jane) A typical scenario: Jane/Joe has to choose a password, picks something easy and obvious Bad Guys guess it, resulting in SHTF Jane/Joe gets a good thrashing from a local BOFH, followed by a long and grumpy lecture about password security Jane/Joe gets a secure password alas, it is impossible to remember and needs to be written down (to some obvious place) Bad Guys intercept it with even more SHTF 4. The obligatory piece of geekiness http://imgs.xkcd.com/comics/authorization.png 5. Mitnick says Security = Policies People Processes Technology In password security, technology is often the least important 6. The study Stage I: password usage in Estonian schools among different user groups Students (high school, vocational school, university) Teachers/trainers ICT specialists at schools A large comparison group of 'average users' (convenience sample based on personal contacts) 7. ... Stage II e-safety training with different groups, based on the Stage I results Password models Strength testing Safe storage options General tips on e-safety This stage is still ongoing 8. Some results Stage I revealed the overall lack of security awareness and especially among 'those who should know better' The behavioral patterns in different user groups were more similar than predicted 9. Examples Most respondents only use 4 or less different passwords (incl 54% of the ICT specialists) More than a half of the respondents use short passwords with 9 or less characters The only remarkable redeeming quality among ICT specialists was including special characters in passwords Teachers actually ranked below students 10. ... Apparent lack of creativity both in password and 'secret question' choices Password sharing among friends/family is widespread Overall awareness of computer security varies with some worrisome findings (e.g. 26% of the ICT specialists did not update their systems) 11. A parable of two tools... Cugnot's fardier vapeur, 1771 Speed 2.25 mph Bugatti Veyron, 2010 Speed 250 mph Note: the pictures on this and next slide come from Wikimedia Commons 12. and SHTFs 1771 2010 What did break and what did survive? 13. e-stonia Among top countries in Internet freedom E-banking (used by ~70% of the population) E-declaration of income (~70%) E-voting (Riigikogu 2011 24.3%) National ID-card infrastructure with large and growing online application base ... BUGATTI VEYRON....?? 14. Main things to do Quote Mitnick: technology is the least one Promote the least bad choice for passwords long passphrases that are in native language (if other than English; also applies to usernames) make sense as words, not as phrase (e.g. TheViolinDoesNotComputeMacaroni) contain some 1337 and punctuation Train good password storage practices Password security is just a part of the whole Lack of knowledge is curable, stupidity is not 15. No fool like an old fool Start young! Caution the concept of secrecy can be hard to grasp for young children (and can contradict some other principles) Curiosity can be dangerous but is vital especially when dealing with adolescents Overconfidence kills - experienced users are notably hard to (re)train but putting the nose into it can help 16. Instead of conclusion http://imgs.xkcd.com/comics/security.png 17. Thank you These slides @ Slideshare (CC BY-SA): http://slideshare.net/UncleOwl The (upcoming) Digital Safety Lab @ Tallinn University: http://www.tlu.ee/dsl Contact: {first.last}@tlu.ee The research was supported by the European Social Funds Doctoral Studies and Internationalisation Programme DoRa (governed by the Archimedes Foundation) and by the Estonian Information Technology Foundation http://www.spreadshirt.net