Password meters tell users whether their passwords are “weak” or “strong.” In this paper, we report on a laboratory experiment to examine whether these meters influenced users’ password selections when they were forced to change their real passwords, and when they were not told that their passwords were the subject of a study. We observed that the presence of meters yielded significantly stronger passwords. We then performed a followup field experiment to test a different scenario: creating a password for an unimportant account. In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts. We conclude that meters result in stronger passwords when users are forced to change existing passwords on “important” accounts and that individual meter design decisions likely have a marginal impact.
More details are in the paper, which will be presented at CHI ’13 held April 27-May 3.
The Impact of Password Meters on Password Selection
Teaching Security and Privacy in Online Social Networks
This term, I’m teaching a graduate seminar-based course on security and privacy in online social networks.
Students in the course are reading, presenting, critiquing, and discussing most significant and most recent papers from top venues on the subject.
They also do a project related to security and write a term paper based on it. More information about can be found at the course web site.
Presentations of Term Projects in the Security Course
In my undergraduate course on security, we are holding a mini-conferenceon December 4, where each team of 3-4 students will present their term project. Project topics are diverse and practical. The mini-conference is open to public. See its schedule for location information and presentation times. The projects will be evaluated by the representatives of the high-tech industry.
Speculative authorization and its sibling ideas
Performance overhead due to the authorization delays can be reduced if the access control decisions are pre-computed beforehand and placed into the cache of the policy enforcement point (PEP). LERSSE alumni Pranab Kini has explored the design space for speculative authorizations. A journal version of his thesis has been recently published IEEE Transactions on Parallel and Distributed Systems.
This was instantiation of the third idea, which I have originally described in an NSPW paper on Flooding and Recycling Authorizations. The other two ideas were on Secondary and Approximate Authorization Model (for SAAM for Bell-LaPadula and SAAM for RBAC) and the use of publish-subscribe technologies for delivering both authorization requests and decisions.
Independent Panel on Internet Voting in British Columbia
I’ve been invited to serve on the independent panel on Internet voting appointed by Elections B.C.. Other members of the panel are Keith Archer (chair), Chief electoral officer; Lee-Ann Crane, chief administrative officer for the East Kootenay Regional District; Valerie King, professor in the department of computer science at the University of Victoria; and George Morfitt, former auditor general of B.C.