Computer users circumvent password security with workarounds, according to study

Apr 18, 2014 by Jacquie Posey
Computer users circumvent password security with workarounds, according to study
Ross Koppel

(Phys.org) —When workers and organizations circumvent computer passwords and security rules, they unwittingly open the door to hackers, according to a study co-authored by Ross Koppel, an adjunct professor of sociology at the University of Pennsylvania.

Koppel is also an affiliate professor at Penn's Perlman School of Medicine, a senior fellow at the Leonard Davis Institute of Penn's Wharton School and a senior investigator at the Department of Computer and Information Science in Penn's School of Engineering and Applied Science.

The study, "Circumvention of Security: Good Users Do Bad Things," is published in the Institute of Electrical and Electronic Engineers Security & Privacy.

With co-authors Jim Blythe of the University of Southern California and Sean W. Smith of Dartmouth College, Koppel studies what people actually do when working online without following experts' rules. The researchers found that "circumvention of the rules is the norm."

Koppel's research generally focuses on health-care IT workarounds that doctors and nurses are required to perform when computer system rules are clunky or non-responsive to work flow. This research on is an outgrowth of that work. The researchers found that often the rules on passwords are so "onerous" or "cumbersome" that workers must find ways to circumvent them to perform their duties.

The research team conducted a series of in-depth interviews with cyber-security experts, chief information and chief medical information officers, IT workers, computer users and managers. They asked questions about perceptions of security rules, logic, protocols, norms and actual practice.

"These interviews expose the often irrational security controls and subsequent workarounds, such as password sharing, made-up data to allow access to restricted parts of systems and ignoring warnings about invalid or obsolete programming," Koppel said.

They discovered "innumerable" vulnerabilities that are generated not by hackers, but by inflexible or illogical requirements of cyber regulations.

Examples included:

  • Having to change passwords every 90 days, and requiring a new password. They found that workers in the defense industry would call their help desk, saying they forgot their passwords. The act of resetting the passwords negated the history, thus enabling them to reuse their old password forever.
  • Users would circumvent timeouts on their systems by putting Styrofoam cups over proximity detectors to trick the system into believing they had never left.
  • To circumvent a hospital's rules on exfiltration of medical images, a doctor would take a screenshot and drop the image into conventional and unprotected email.
  • A superior insisted on not using a standard trust root for the enterprise's SSL servers, and users were trained to ignore warnings about invalid SSL certificates, the software at issue with the Heartbleed bug.

The study was conducted for the Army Research Office.

Explore further: What you need to know about the Heartbleed bug

More information: Blythe, J.; Koppel, R.; Smith, S.W., "Circumvention of Security: Good Users Do Bad Things," Security & Privacy, IEEE , vol.11, no.5, pp.80,83, Sept.-Oct. 2013. DOI: 10.1109/MSP.2013.110

add to favorites email to friend print save as pdf

Related Stories

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Recommended for you

Automakers aim to drive away car computer hackers

7 hours ago

Against the team of hackers, the poor car stood no chance. Meticulously overwhelming its computer networks, the hackers showed that—given time—they would be able to pop the trunk and start the windshield ...

Man pleads guilty in New York cybercrime case

Nov 22, 2014

A California man has pleaded guilty in New York City for his role marketing malware that federal authorities say infected more than a half-million computers worldwide.

How to keep the world's eyes out of your webcam

Nov 21, 2014

There are concerns that thousands of private webcams around the world could be streaming live images to anybody who wishes to view them – without their owner knowing – thanks to a Russian website provi ...

Britain urges Russia to shut down webcam spying site

Nov 20, 2014

A Russian website offering thousands of live feeds peering into bedrooms and offices around the world by accessing poorly secured webcams should be taken down immediately, British officials said on Thursday.

NSA Director: China can damage US power grid

Nov 20, 2014

China and "one or two" other countries are capable of mounting cyberattacks to shut down the electric grid in parts of the United States. That's according to Admiral Michael Rogers, the director of the National Security Agency ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

Dr_toad
Apr 18, 2014
This comment has been removed by a moderator.
tadchem
not rated yet Apr 18, 2014
Unfortunately the fragmentation of responsibility for data systems (the IT desk, the Security desk, the Power users, software contractors, etc.) has reduced the ability of these people to coordinate during the development of system requirements and business rules when system changes reach the design phase.
Anybody not fully in the loop during the entire process has their requirements slighted, often impairing mission performance.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.