Category Archives: human factos in security

Towards strong and memorable passwords

surpassSystem-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system-initiated user-replaceable password scheme called “Surpass” that lets users replace few characters in a random password to make it more memorable. Continue reading

How Much Can Chunking Help to Remember Banking PINs?

chunkingTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased security we get from using system-generated PINs, however, comes at the cost of memorability. And while banks are increasingly adopting system-generated PINs, the impact on memorability of such PINs has not been studied.

In a collaboration among Honeywell ACS Labs, Sungkyunkwan University, Oregon State University, University of Illinois at Urbana-Champaign, and UBC, we conducted a large-scale online user study with 9,114 participants to investigate the impact of increased PIN length on the memorability of PINs, and whether number chunking techniques (breaking a single number into multiple smaller numbers) can be applied to improve memorability for larger PIN lengths. Our findings have been reported at SOUPS ’15. Continue reading

Touch ID: How Does It Affect iPhone Security?

Touch IDRecently, Apple has introduced Touch ID, which allows a fingerprint-based authentication to be used for iPhone unlocking. It’s positioned to allow users to use stronger passcodes for locking their iOS devices, without substantially sacrificing usability. It is unclear, however, if users take advantage of Touch ID technology and if they, indeed, employ stronger passcodes. In order to answer this question, at LERSSE, we conducted three user studies through which we found that users do not take an advantage of Touch ID and use weak unlocking secrets. Continue reading

What research do I really do?

My department has made a short introductory video-clip about my research group LERSSE. For those who won’t read papers but still want to get an idea about what kind of research my graduate students do, just sit back and enjoy this 3-minute long summary.

Teaching Security and Privacy in Online Social Networks


This term, I’m teaching a graduate seminar-based course on security and privacy in online social networks. Students in the course are reading, presenting, critiquing, and discussing most significant and most recent papers from top venues on the subject. They also do a project related to security and write a term paper based on it. More information about can be found at the course web site.

On vulnerability of Facebook users to social botnets

How likely for a Facebook user to accept a friendship request from a stranger (albeit a pretty/handsome one)? By how much do such chances correlate with “promiscuity” of the user in terms of FB friends? Can such requests be automated? What can an adversary gain from befriending users?

Continue reading

Can Metaphors of Physiscal Security Work for Computers?

Physical Security Metaphor for Personal Firewall Warnings

There is evidence that the communication of security risks to home computer users has been unsuccessful. Prior research has found that users do not heed risk communications, that they do not read security warning texts, and that they ignore them. Risk communication should convey the basic facts relevant to the warning recipient’s decision. In the warning science literature, one successful technique for characterizing and designing risk communication is to employ the mental models approach, which is a decision-analytic framework. With this approach, the design of risk communication is based on the recipients’ mental model(s). The goal of the framework is to help people make decisions by providing risk communication that improves the recipients’ mental models in one of three ways: (1) adding missing knowledge, (2) restructuring the person’s knowledge when it inappropriately focussed (i.e., too general or too narrow), and (3) removing misconceptions.

Continue reading

Heuristics for Evaluating IT Security Management Tools

The usability of IT security management (ITSM) tools is hard to evaluate by regular methods, making heuristic evaluation attractive. However, standard usability heuristics (e.g., Nielsen’s) are hard to apply, as IT security management occurs within a complex and collaborative context that involves diverse stakeholders. In a joint project with CA Technologies, my Ph.D. student Pooya Jaferian has proposed a set of ITSM usability heuristics that are based on activity theory, are supported by prior research, and consider the complex and cooperative nature of security management. The paper reporting the evaluation of the heuristics received Best Paper Award at SOUPS ’11.

Continue reading

Have users signed up?

I participated in a panel “Password Managers, Single Sign-On, Federated ID: Have users signed up?” at Workshop on The Future of User Authentication and Authorization on the Web: Challenges in Current Practice, New Threats, and Research Directions, which was collocated with the conference on Financial Cryptography and Data Security. In my panel presentation, I showed the most recent results of the evaluation of OpenID authentication experience by participants, conducted in my lab, which shed some light on why users have not signed up, at least for OpenID. An apparent reluctance among the end users of employing OpenID, despite the fact that there are over one billion OpenId-enabled accounts, results from technical, business, and human factors. This particular short presentation was devoted to the usability factors.

Is OpenID too Open? Technical, Business, and Human Issues That Get in the Way of OpenID and Ways of Addressing Them

The web is essential for business and personal activities well beyond information retrieval, such online banking, financial transactions, and payment authorization, but reliable user authentication remains a challenge. OpenID is a mainstream Web single sign-on (SSO) solution intended for Internet-scale adoption. There are currently over one billion OpenID-enabled user accounts provided by major content-hosting and service providers (CSPs), e.g., Yahoo!, Google, Facebook, but only a few relying parties that allow users to use their OpenID credentials for SSO. Why is that? I presented at Eurecom an overview OpenID, and then discussed weaknesses of (1) the protocol and its implementations, (2) the business model behind it, and (3) the user interface. The talk concluded with a discussion of a proposal for addressing some of OpenID issues.

See presentation slides for more details.