User-Centered Security

Over the last few weeks, data breaches have been in the news and credential-stuffing attacks are on the rise. For example, a set of over 1500 Ring doorbell credentials is circulating after another 3000 were compromised in a probable credential stuffing attack. Credential stuffing is when compromised user credentials from one service are used to log on to a different service because the users didn't use unique login information. To avoid exposing our users, and therefore our systems, to this type of attack it is important to put in place policies banning password reuse--and to educate our users not to reuse passwords. In a 2014 study , Stobert & Biddle found that their median participant had 27 different accounts, of which they used approximately 11 weekly. Because of this volume of accounts, if we expect our users to maintain unique credentials and also avoid writing them down in an insecure manner, we should provide them with a password manager on our enterprise systems wh...

Strong password policies have long been a topic of debate in the information security community, with advocates of password policies that encourage strong passwords while still maintaining a good user experience gaining traction recently. The latest NIST guidance on memorized secrets adopts a user-centric approach, overturning previous requirements that levied a more onerous burden on users like mandatory complexity measures and mandatory recurring password changes. These password policies were intended to reduce the likelihood of attackers successfully guessing user passwords and mitigate the impact of data breaches by limiting the duration attackers could re-use compromised credentials. However, both of these concerns are now addressed via other means: rate-limiting password attempts obviates the need for highly complex memorized secrets, and blacklisting passwords found in data breaches mitigates the impact of credential-stuffing attacks. The latter technique is particularly imp...

Information technology professionals are familiar with the cycle: we implement strong security measures, but then receive negative feedback from users due to decreased functionality, additional "hoops" they are required to jump through, et cetera. Sometimes users even use work-arounds which can not only circumvent the new security measure but invalidate other aspects of the system's security. As an example for how well-intentioned security measures can backfire, consider the strong password policies that were the industry standard a few years ago. The requirements for high minimum character count, complexity via required character combinations, and regular changes drove many users to circumvent the password-based security entirely by writing their passwords down either physically or in text files. As a result, current NIST guidance recognizes this vulnerability and no longer recommends evaluating password complexity beyond comparing the user's chosen password again...