Final Exam of Usable Security

Company ABC’s password policy has always been that the system generates passwords for its users instead of letting them pick their own. The passwords are random 8-character strings with upper and lower case letters, numbers, and symbols for users (e.g. “^8j4Z.mp”). Every six months, the password is changed to something new. Because password resets are a security danger, users are not allowed to reset their passwords if they forget them. Instead, they need to go to the company’s IT office which looks up their existing password and gives them a printout with the password on it.

(note: this is a true example – I worked at an organization that had exactly this policy)

Answer the questions 1-13 about Company ABC’s policy.

True or false: the passwords that the system generate are very hard to crack?

Which method would work best if trying to crack one of Company ABC’s passwords

What is the biggest usability problem with Company ABC’s passwords?

Which of the following is the most likely response to Company ABC’s password reset policy ?

True or false: a policy that allows users reset their passwords automatically (e.g. if a user forgets their password they can enter their user ID and have a new password emailed to the address that the IT office has on file) may lead users choosing more complex passwords.

True or false: a policy that users reset their passwords automatically would be more usable

True or false: a user-chosen 8-character password would be more difficult to break than the existing system-generated passwords.

True or false: a user-chosen 8-character password would be more usable

True or false: a user chosen 8-character password could be more secure

True or false: an automatically generated password that combined 4 unrelated common words would be harder to break

True or false: an automatically generated password that combined 4 unrelated common words would be more usable

True or false: Increasing the usability of Company ABC’s password policy would lead to greater security

True or false: There is a conflict between creating a usable password system and the most secure password system

Company XYZ is a defense contractor. They need to make sure that only authorized people enter their facilities. They have decided to install a new biometric authentication station outside the gate that protects the parking lot. Employees will need to authenticate in order to be let in. Answer questions 14-20 about Company XYZ.

How should the security system be designed?

If someone tries to authenticate and they are not recognized, the system designer is considering adding a delay before they can try to authenticate again. Which is the best delay?

A survey shows that a surprisingly large percentage (25%) of employees ride motorcycles to work, the standard protective gear of helmets, leather jackets, and gloves. Which of the following would be a poor biometric tool based on this fact?

The designer has decided to use a free gesture system to authenticate people, but the hardware for a gesture-detection system that is weatherproof is very expensive. As she is eating lunch in her office, she is contemplating the next step. What should she do?

The free gesture system is implemented, and all employees have stopped by the IT office to teach the system what their authenticating gesture is by entering it on a touch screen in the office. A couple weeks later, people who drive SUVs start complaining that they sometimes need to enter their gesture 4 or 5 times because it is not recognized (probably because they are making it from an odd angle – their cars are high up above the device where they enter their gesture). What type of usability problem is this?

What is a good solution for the SUV drivers?

After a while, the IT office complains to the designer that people keep coming in having forgotten their gestures. This is a problem because traffic backs up when a person can’t remember the gesture, it takes a lot of time to reset the gesture, and people are trying to get around the system by closely following the person in front of them through the open gate. The designer decides that from now on, when people create new gestures, it should be the person’s normal signature. Which usability aspect does this improve?

Answer questions 21-24 about Company 123.

Company 123 is creating a social network designed to compete with Facebook. They begin by copying Facebook’s interface exactly, except they change the name and make it green instead of blue. How does this help usability?

Company 123 writes a privacy policy that is written in easy-to-read language at an 6th grade reading level and is exactly 1 page long when printed and that covers all the major points of their privacy – mainly, that no data is ever shared except with people the user lists in their own privacy settings. Which of these five pitfalls does their policy avoid:

Is a 12-year old in 7th grade able to give informed consent to this policy?

A designer at Company 123 is considering changing their login interface so the password box shows the last character typed for 1 second before changing it to the standard star or dot that prevents over the shoulder attacks. They hope this will help people spot when they have made a typo as they enter their password. How should she determine if this is a good change to make?

True or false: error messages should limit technical detail in favor of plain language.