Tuesday, 17 September 2019

Passwords and Usability

Usability of advice

Much advice on passwords is contradictory, confusing, and context-free. I propose a Scale for Evaluating Password Advice (SEPA)

1. Does the advice give due prominence to haveibeenpwned.com?
2. Is the advice tailored to specific users and contexts (use cases)? (as opposed
    to being generic)
If 'Yes' to question 2:
3. Are there indications that the threat priorities have been based on
4. Are there indications that the risk mitigation actions proposed are
    based on evidence?
5. Are there indications that the advice has been tested with
    representative users?

Password Managers

There are plenty of reviews of password managers. These all seem to focus on technical aspects, with little or no understanding of usability. On the basis of limited personal experience, I suggest the following criteria for password manager usability:
1. The supplier website sets out what use cases it meets, and how, and what use cases it does not support.
2. The manager has a link to haveibeenpwned.com API.
3. The manager generates user-friendly passphrases  like this
4. The manager works without the cloud.
5. The manager helps the user cope with the vagaries of various websites e.g. no paste allowed.
6. The manager is compatible with producing paper storage system.

Use Cases

A collection of not-very-thought-through use cases is below for illustrative (rather than design)purposes:
  • A US Secretary of State who steps out of the SCIF to use her personal Blackberry.
  • A bitcoin miner whose mobile phone account is hijacked to exploit SMS 2FA.
  • A Cambridge Professor of Security Engineering who refuses to use online banking with good reason
"...if you fall victim to an online fraud the chances are you will never see your money again...one of the banks’ most extraordinary feats of recent years has been their ability to shift liability away from themselves and on to the customer – aided by a Financial Ombudsman Service (FOS) that they claim rarely challenges the banks following a fraud."
  • A journalist talking to dissidents in a dangerous country.
  •  Grandma logging into Facebook while staying with her daughter.
  •  Grandma wanting to put her online affairs in order for her estate. 
  • A student wanting to prevent his flatmates using his pr0n account when he is out. 
  • A businessman going to the toilet while doing online business with the free wi-fi in a coffee shop.
  • A Civil Servant wanting to do home banking while at the office.
  • An agency ICU nurse called in at short notice needing to look up patient records. 
  • A homeless person using a mobile phone to claim benefits and pay bills. 
  • Someone on a list entering the USA and being asked to provide their passwords.

Important update from Rachel Tobac: "A useful thing about using a password manager that I don’t always see folks talk about is that my pw manager won’t enter my username and password on malicious lookalike sites. Not the real airline website? Looks real but it’s actually a malicious URL? No credentials entered". So - does the pw manager do this? 

No comments:

Post a comment