The Cyber Readiness for Boards project, which is jointly funded by the National Cyber Security Centre and the Lloyd’s Register Foundation, has launched to explore the factors shaping UK board decisions around cyber risk and develop interventions to provide guidance and support. https://www.ucl.ac.uk/news/2019/mar/experts-support-global-companies-against-cyber-threats
University of Portsmouth and Bournemouth University are delighted to offer early career researchers and PhD students the opportunity to present their work at the forthcoming Social and Behavioural Science for Cyber Security Conference 2018, to be held at Roke Manor Research Ltd, on Wednesday 24th October 2018. For more information Read more…
In October 2016, UCL’s Information Services Division (ISD) implemented a new password policy to encourage users to choose stronger passwords. The policy links password lifetime (the time before the password expires) to password strength: The stronger the password, the longer the lifetime.
We (Ingolf Becker, Simon Parkin and M. Angela Sasse) decided to collaborate with the Information Services Division to study the effect of this policy change, and the results were published at USENIX Security this week. We find that users appreciate the choice and respond to the policy by choosing stronger passwords when changing passwords. Even after 16 months the mean password lifetime at UCL continues to increase, yet stronger passwords also lead to more password resets.
The new policy
In the new policy, passwords with Shannon Information Entropy of 50 bits receive a lifetime of 100 days, and passwords with 120 bits receive a lifetime of 350 days:
Additionally, the new policy penalises the lifetime of passwords containing words from a large dictionary.
Users play the game
We analysed the password lifetime – what we will refer to from here on in as the ‘password strength’ – of all password change and reset events of all pseudonymised users at UCL. The following figure shows the mean password expiration of all users over time, smoothed by 31-day moving averages:
A small drop in password strength was observed between November ’16 and February ’17, as users were moved on to and generally became accustomed to the new system; the kinds of passwords they would have been used to using were at that point not getting them as many days as before (hence the drop). After February ’17, the mean strength increases from 145 days to 170 days in 12 months – an increase of 6.9 bits of entropy. This strongly suggests that users have generally adapted slowly to the new password policy, and eventually make use of the relatively new ability to increase password lifetime by expanding and strengthening their passwords.
On July 11, Dr Alex Chung delivered an invited talk at the Palais des Nations in Geneva, Switzerland, titled: ‘Legal and regulatory challenges of the sharing economy.’ Joined on the panel by his colleague Dr Janet Hui Xue from the University of Sydney, they presented comparative case studies of Uber Read more…