Computer Users Circumvent Password Security With Workarounds, Penn Led Study Shows
When workers and organizations circumvent computer passwords and security rules, they unwittingly open the door to hackers, according to a study co-authored by Ross Koppel, an adjunct professor of sociology at the University of Pennsylvania.
With co-authors Jim Blythe of the University of Southern California and Sean W. Smith of Dartmouth College, Koppel studies what people actually do when working online without following computer security experts’ rules. The researchers found that “circumvention of the rules is the norm.”
Koppel’s research generally focuses on health-care IT workarounds that doctors and nurses are required to perform when computer system rules are clunky or non-responsive to work flow. This research on cyber security is an outgrowth of that work. The researchers found that often the rules on passwords are so “onerous” or “cumbersome” that workers must find ways to circumvent them to perform their duties.
The research team conducted a series of in-depth interviews with cyber-security experts, chief information and chief medical information officers, IT workers, computer users and managers. They asked questions about perceptions of computer security rules, logic, protocols, norms and actual practice.
“These interviews expose the often irrational security controls and subsequent workarounds, such as password sharing, made-up data to allow access to restricted parts of systems and ignoring warnings about invalid or obsolete programming,” Koppel said.
They discovered “innumerable” vulnerabilities that are generated not by hackers, but by inflexible or illogical requirements of cyber security regulations.
Examples included:
Having to change passwords every 90 days, and requiring a new password. They found that workers in the defense industry would call their help desk, saying they forgot their passwords. The act of resetting the passwords negated the history, thus enabling them to reuse their old password forever.
Users would circumvent timeouts on their systems by putting Styrofoam cups over proximity detectors to trick the system into believing they had never left.
To circumvent a hospital’s rules on exfiltration of medical images, a doctor would take a screenshot and drop the image into conventional and unprotected email.
A superior insisted on not using a standard trust root for the enterprise’s SSL servers, and users were trained to ignore warnings about invalid SSL certificates, the software at issue with the Heartbleed bug.
The study was conducted for the Army Research Office.
Understanding order to disorder at the atomic scale opens possibilities for next-generation electronic devices
A Penn team has developed insight into the chemical and geometric mechanisms underlying the synthesis of new 2D materials, paving the way for next-gen devices, biomedical applications, and cleaner, quicker energy conversion and storage.
Exposure to air pollution worsens Alzheimer’s disease
New research from Penn Medicine finds living in areas with high concentration of air pollution is associated with increased buildup of amyloid and tau proteins in the brains of Alzheimer’s patients, accelerating cognitive decline.
Penn buildings achieve LEED certifications, showcasing commitment to sustainability
Three recent building projects at the University of Pennsylvania have earned LEED Platinum, Gold, and Silver certifications, underscoring Penn’s ongoing commitment to sustainable design and construction.
What stiffening lung tissue reveals about the earliest stages of fibrosis
A Penn Engineering team has targeted the lung’s extracellular matrix to better understand early fibrosis by triggering the formation of special chemical bonds that increase tissue stiffness in specific locations, mimicking the first physical changes that may lead to lung fibrosis.
