My Ph.D. student San-Tsai Sun has successfully defended and submitted the final version of his thesis “Towards Improving the Usability and Security of Web Single Sign-On Systems.” He’s moving back to industry, where he will be applying his expertise in web security to real-world systems. Congratulations to San-Tsai on very successful completion of the Ph.D. program, with many quality publications.
The Internet Voting Panel I’m serving on has released its preliminary report on October 23rd and is soliciting comments from the public. The report can be found on the panel’s web site. The comments are due before December 4.
Password meters tell users whether their passwords are “weak” or “strong.” In this paper, we report on a laboratory experiment to examine whether these meters influenced users’ password selections when they were forced to change their real passwords, and when they were not told that their passwords were the subject of a study. We observed that the presence of meters yielded significantly stronger passwords. We then performed a followup field experiment to test a different scenario: creating a password for an unimportant account. In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts. We conclude that meters result in stronger passwords when users are forced to change existing passwords on “important” accounts and that individual meter design decisions likely have a marginal impact.
More details are in the paper, which will be presented at CHI ’13 held April 27-May 3.
In my undergraduate course on security, we are holding a mini-conference on December 4, where each team of 3-4 students will present their term project. Project topics are diverse and practical. The mini-conference is open to public. See its schedule for location information and presentation times. The projects will be evaluated by the representatives of the high-tech industry.
Performance overhead due to the authorization delays can be reduced if the access control decisions are pre-computed beforehand and placed into the cache of the policy enforcement point (PEP). LERSSE alumni Pranab Kini has explored the design space for speculative authorizations. A journal version of his thesis has been recently published IEEE Transactions on Parallel and Distributed Systems.