In 2019, we introduced four research ‘themes’ into RISCS. These provide structure and strategy to our work and have been drawn from those issues that we feel are most relevant to supporting the UK’s efforts in improving sociotechnical cyber security. The research themes allow us to build sub-teams of interested Read more…
Victims of defective products are not required to demonstrate the “fault” of a product manufacturer. It’s enough to demonstrate the existence of a defect in the product that causes harm. Under European laws, “a product is defective when it does not provide the safety which a person is entitled to Read more…
The Cyber Readiness for Boards project, which is jointly funded by the National Cyber Security Centre and the Lloyd’s Register Foundation, has launched to explore the factors shaping UK board decisions around cyber risk and develop interventions to provide guidance and support. https://www.ucl.ac.uk/news/2019/mar/experts-support-global-companies-against-cyber-threats
In October 2016, UCL’s Information Services Division (ISD) implemented a new password policy to encourage users to choose stronger passwords. The policy links password lifetime (the time before the password expires) to password strength: The stronger the password, the longer the lifetime.
We (Ingolf Becker, Simon Parkin and M. Angela Sasse) decided to collaborate with the Information Services Division to study the effect of this policy change, and the results were published at USENIX Security this week. We find that users appreciate the choice and respond to the policy by choosing stronger passwords when changing passwords. Even after 16 months the mean password lifetime at UCL continues to increase, yet stronger passwords also lead to more password resets.
The new policy
In the new policy, passwords with Shannon Information Entropy of 50 bits receive a lifetime of 100 days, and passwords with 120 bits receive a lifetime of 350 days:
Additionally, the new policy penalises the lifetime of passwords containing words from a large dictionary.
Users play the game
We analysed the password lifetime – what we will refer to from here on in as the ‘password strength’ – of all password change and reset events of all pseudonymised users at UCL. The following figure shows the mean password expiration of all users over time, smoothed by 31-day moving averages:
A small drop in password strength was observed between November ’16 and February ’17, as users were moved on to and generally became accustomed to the new system; the kinds of passwords they would have been used to using were at that point not getting them as many days as before (hence the drop). After February ’17, the mean strength increases from 145 days to 170 days in 12 months – an increase of 6.9 bits of entropy. This strongly suggests that users have generally adapted slowly to the new password policy, and eventually make use of the relatively new ability to increase password lifetime by expanding and strengthening their passwords.
On July 11, Dr Alex Chung delivered an invited talk at the Palais des Nations in Geneva, Switzerland, titled: ‘Legal and regulatory challenges of the sharing economy.’ Joined on the panel by his colleague Dr Janet Hui Xue from the University of Sydney, they presented comparative case studies of Uber Read more…