SlideShare ist ein Scribd-Unternehmen logo

Isys20261 lecture 13

Als PPT, PDF herunterladen
Wiliam Ferraciolli
Wiliam Ferraciolli
1 von 21
Computer Security Management (ISYS20261) Lecture 13 – Passwords Module Leader: Dr Xiaoqi Ma School of Science and Technology
Last week … • Access control permits or denies the use of a particular resource by a particular entity • To dimensions: authentication and authorisation • Authentication – User to system – System to user • Authorisation – Discretional access control – Mandatory access control – Role-based access control Computer Security Management Page 2
Today • Passwords • PINs • Challenge response Computer Security Management Page 3
Password authentication (1) • Ways of authenticating a person – Knowledge based: password, PIN, etc. – Token based: smartcard, etc. – Biometrics: fingerprints, face recognition, etc. • Password: two factor authentication: – Identification – Verification Computer Security Management Page 4
Password authentication (2) • Assumption: password exists in two places only: – System – User’s memory • In reality also: – Under the keyboard – On a post-it sticking to the monitor – Shared amongst a group of colleagues/friends – Etc. Computer Security Management Page 5
Passwords • Unaided recall • Passwords should be meaningless • Recall has to be 100% correct • No feedback on failure • Problems: – Unaided recall harder than cued recall – Non-meaningful items are hard to recall – Limited capacity of working memory – Items stored in memory decay over time – Similar items compete – Old passwords cannot be deleted on demand – Etc. Computer Security Management Page 6
Password attacks • General criminal economics: attacker will only invest up to 10% of the achieved profits! • Password attacks: cheap! • Types of password attacks: – Brute-force-attack – Guessing attacks – Shoulder surfing attacks – Spyware – Packet sniffing – Social engineering Computer Security Management Page 7
Password policies • Aim to enforce strong passwords in an organisation • Define the rules for: – Password length – Content – Frequency of change – Number of login attempts – How to recover/reset a password • Ideally: – Variable length – Meaningless – Do not change passwords more often than necessary – Limit login attempts – Credential recovery: see later slide Computer Security Management Page 8
Problems, problems … • Nowadays, Joe Average has to remember a large number of passwords/PINs! • Many of these need to be changed frequently • Many similar items compete (including old, invalid passwords!) • Infrequently used passwords are easily forgotten • Recently changed passwords are forgotten or confused • Etc. Computer Security Management Page 9
Password failure • 52% Memory failure – Confused with old password 37% – Confused with other system’s password 15% • 20% Wrong user ID • 12% Typo – Missing or additional characters – Pressing ENTER Computer Security Management Page 10
User strategies • If not given a strategy: users will make up their own! – Use same password for multiple system – Only change passwords if forced to – Externalise passwords • On-the-spot decisions Computer Security Management Page 11
Password quality (Sasse et al, 2001) • Content – 28% of users’ passwords are identical – 68% use one way to construct their passwords – 51% of the passwords are words with a number on the end • Change – 90% only change when forced to do so – 45% increment number by one when change • Writing down – 30% write down all passwords – 32% write down infrequently used passwords Computer Security Management Page 12
PINs • Numerical passwords, eg. 4587 • Similar problems – Same PIN across many applications – Many people give card and PIN to others to fetch cash – Using mobile phones in public – Etc. • Where to find PINs: – On the card – In the wallet – Post-it – Around cash machine – Etc. Computer Security Management Page 13
Countermeasures • Help with passwords – Reactive, e.g. reminder – Proactive, e.g. hints, writing down, … • Not really effective • Better: – User support and training – Single sign-on – Changes to password policy – Alternative methods: Graphical or biometrics Computer Security Management Page 14
Reminders • Advantages: – No password change – Automated, i.e. reduced workload on helpdesk or system admin • Disadvantages: – Over the internet: security risk – Attacker might guess or know the answer to additional security questions • Example: “what is your mothers maiden name?” Computer Security Management Page 15
Hints • User selects reminder of password that is stored on the system together with the password • System provides the hint if: – user forgets his/her password and requests it – login fails • Advantages – No password change – Automated • Disadvantage: – Untrained users often chose bad hints in terms of memorability – Attacker might find out the password through social networks Computer Security Management Page 16
How to improve • Provide instructions for better memorability – Must be available when users need them – e.g. “make up sentence to memorise” or “funny content helps to memorise” • Provide feedback – At registration time – Needs to be positive and constructive – Might help an attacker! • Pro-active password checking – Prevent weak passwords – Checks at registration for compliance with password policy • Helpdesks – Many people prefer to interact with other human beings – Humans are more flexible Computer Security Management Page 17
Single sign-on (SSO) • Enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again • Advantages: – Reduces user’s workload to a minimum – Reduces time spend with logins – Reduce help desk calls – Single point of recovery • Disadvantages: – Valuable to attacker (single point of attack!) Computer Security Management Page 18
Challenge-response (1) • Authentication technique • An individual is prompted (the challenge) to provide some private information (the response) • Enrolment: – Challenge-response (CR) pairs generated randomly from database – User accepts a set of memorable CRs when enrolling • Operation: – Individual is given one challenge from set – If individual gives the matching response: authenticated Computer Security Management Page 19
Challenge-response (2) • When enrolling challenge can be – Selected entirely by the system, or – Partly chosen by user, or – Partly selected from list by user • Response can be – Selected by the system, or – Chosen by user, or – Selected from list by user • Examples – C: Name of your pet? R: [open answer chosen by user] – C: Your mother’s maiden name? R: [input chosen by the user] – C: What do you think of the [input chosen by the user]? R: I think the [from C] [chosen by the user] Computer Security Management Page 20
Challenge-response (3) • Challenge-Response pairs (CRs) two dimensions: – Usability – Security • Criteria for assessing security: – Guessing difficulty • Criteria for assessing usability: – User physical and mental workload – Administrator physical workload Computer Security Management Page 21

Empfohlen

Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05Wiliam Ferraciolli
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07Wiliam Ferraciolli
 
Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02Wiliam Ferraciolli
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstationsWiliam Ferraciolli
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10Wiliam Ferraciolli
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissionsWiliam Ferraciolli
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 

Empfohlen

Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05Wiliam Ferraciolli
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07Wiliam Ferraciolli
 
Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02Wiliam Ferraciolli
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstationsWiliam Ferraciolli
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10Wiliam Ferraciolli
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissionsWiliam Ferraciolli
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14Wiliam Ferraciolli
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytestingThilak Pathirage -Senior IT Gov and Risk Consultant
 
Intruders
IntrudersIntruders
IntrudersDr.Florence Dayana
 
Password Problem - Solved!
Password Problem - Solved!Password Problem - Solved!
Password Problem - Solved!Cyber Security Summit
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration Raja Waseem Akhtar
 
Ch10
Ch10Ch10
Ch10Raja Waseem Akhtar
 
Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeRevisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeLance Peterman
 
Human/User-Centric Security
Human/User-Centric SecurityHuman/User-Centric Security
Human/User-Centric SecurityShujun Li
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptxRushikeshChikane2
 
I am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatI am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatAhmed Masud
 
Computer Security
Computer SecurityComputer Security
Computer SecurityGreater Noida Institute Of Technology
 
ch08.ppt
ch08.pptch08.ppt
ch08.pptHaipengCai1
 
Passwords
PasswordsPasswords
PasswordsSonia Rose Mary Karungi
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Secure the experience, experience security
Secure the experience, experience security Secure the experience, experience security
Secure the experience, experience security Ran Liron
 
ISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxvrickens
 
Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)Ben Woelk, CISSP, CPTC
 
Chapter3
Chapter3 Chapter3
Chapter3 KaiEnTee1
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11Wiliam Ferraciolli
 
Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 

Weitere ähnliche Inhalte

Ähnlich wie Isys20261 lecture 13

Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeRevisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeLance Peterman
 
Human/User-Centric Security
Human/User-Centric SecurityHuman/User-Centric Security
Human/User-Centric SecurityShujun Li
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptxRushikeshChikane2
 
I am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatI am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatAhmed Masud
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Secure the experience, experience security
Secure the experience, experience security Secure the experience, experience security
Secure the experience, experience security Ran Liron
 
ISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxvrickens
 

Ähnlich wie Isys20261 lecture 13 (20)

Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Intruders
IntrudersIntruders
Intruders
 
Password Problem - Solved!
Password Problem - Solved!Password Problem - Solved!
Password Problem - Solved!
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
 
Ch10
Ch10Ch10
Ch10
 
Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeRevisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat Landscape
 
Human/User-Centric Security
Human/User-Centric SecurityHuman/User-Centric Security
Human/User-Centric Security
 
Security Architectures and Models.pptx
Security Architectures and Models.pptxSecurity Architectures and Models.pptx
Security Architectures and Models.pptx
 
I am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatI am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider Threat
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
ch08.ppt
ch08.pptch08.ppt
ch08.ppt
 
Passwords
PasswordsPasswords
Passwords
 
Information security management
Information security managementInformation security management
Information security management
 
Secure the experience, experience security
Secure the experience, experience security Secure the experience, experience security
Secure the experience, experience security
 
ISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docxISOL536Security Architecture and DesignWeek 6Web Threa.docx
ISOL536Security Architecture and DesignWeek 6Web Threa.docx
 
Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)
 
Chapter3
Chapter3 Chapter3
Chapter3
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 

Mehr von Wiliam Ferraciolli

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architectureWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

Mehr von Wiliam Ferraciolli (16)

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Isys20261 lecture 04
Isys20261 lecture 04Isys20261 lecture 04
Isys20261 lecture 04
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 

Isys20261 lecture 13

  • 1. Computer Security Management (ISYS20261) Lecture 13 – Passwords Module Leader: Dr Xiaoqi Ma School of Science and Technology
  • 2. Last week … • Access control permits or denies the use of a particular resource by a particular entity • To dimensions: authentication and authorisation • Authentication – User to system – System to user • Authorisation – Discretional access control – Mandatory access control – Role-based access control Computer Security Management Page 2
  • 3. Today • Passwords • PINs • Challenge response Computer Security Management Page 3
  • 4. Password authentication (1) • Ways of authenticating a person – Knowledge based: password, PIN, etc. – Token based: smartcard, etc. – Biometrics: fingerprints, face recognition, etc. • Password: two factor authentication: – Identification – Verification Computer Security Management Page 4
  • 5. Password authentication (2) • Assumption: password exists in two places only: – System – User’s memory • In reality also: – Under the keyboard – On a post-it sticking to the monitor – Shared amongst a group of colleagues/friends – Etc. Computer Security Management Page 5
  • 6. Passwords • Unaided recall • Passwords should be meaningless • Recall has to be 100% correct • No feedback on failure • Problems: – Unaided recall harder than cued recall – Non-meaningful items are hard to recall – Limited capacity of working memory – Items stored in memory decay over time – Similar items compete – Old passwords cannot be deleted on demand – Etc. Computer Security Management Page 6
  • 7. Password attacks • General criminal economics: attacker will only invest up to 10% of the achieved profits! • Password attacks: cheap! • Types of password attacks: – Brute-force-attack – Guessing attacks – Shoulder surfing attacks – Spyware – Packet sniffing – Social engineering Computer Security Management Page 7
  • 8. Password policies • Aim to enforce strong passwords in an organisation • Define the rules for: – Password length – Content – Frequency of change – Number of login attempts – How to recover/reset a password • Ideally: – Variable length – Meaningless – Do not change passwords more often than necessary – Limit login attempts – Credential recovery: see later slide Computer Security Management Page 8
  • 9. Problems, problems … • Nowadays, Joe Average has to remember a large number of passwords/PINs! • Many of these need to be changed frequently • Many similar items compete (including old, invalid passwords!) • Infrequently used passwords are easily forgotten • Recently changed passwords are forgotten or confused • Etc. Computer Security Management Page 9
  • 10. Password failure • 52% Memory failure – Confused with old password 37% – Confused with other system’s password 15% • 20% Wrong user ID • 12% Typo – Missing or additional characters – Pressing ENTER Computer Security Management Page 10
  • 11. User strategies • If not given a strategy: users will make up their own! – Use same password for multiple system – Only change passwords if forced to – Externalise passwords • On-the-spot decisions Computer Security Management Page 11
  • 12. Password quality (Sasse et al, 2001) • Content – 28% of users’ passwords are identical – 68% use one way to construct their passwords – 51% of the passwords are words with a number on the end • Change – 90% only change when forced to do so – 45% increment number by one when change • Writing down – 30% write down all passwords – 32% write down infrequently used passwords Computer Security Management Page 12
  • 13. PINs • Numerical passwords, eg. 4587 • Similar problems – Same PIN across many applications – Many people give card and PIN to others to fetch cash – Using mobile phones in public – Etc. • Where to find PINs: – On the card – In the wallet – Post-it – Around cash machine – Etc. Computer Security Management Page 13
  • 14. Countermeasures • Help with passwords – Reactive, e.g. reminder – Proactive, e.g. hints, writing down, … • Not really effective • Better: – User support and training – Single sign-on – Changes to password policy – Alternative methods: Graphical or biometrics Computer Security Management Page 14
  • 15. Reminders • Advantages: – No password change – Automated, i.e. reduced workload on helpdesk or system admin • Disadvantages: – Over the internet: security risk – Attacker might guess or know the answer to additional security questions • Example: “what is your mothers maiden name?” Computer Security Management Page 15
  • 16. Hints • User selects reminder of password that is stored on the system together with the password • System provides the hint if: – user forgets his/her password and requests it – login fails • Advantages – No password change – Automated • Disadvantage: – Untrained users often chose bad hints in terms of memorability – Attacker might find out the password through social networks Computer Security Management Page 16
  • 17. How to improve • Provide instructions for better memorability – Must be available when users need them – e.g. “make up sentence to memorise” or “funny content helps to memorise” • Provide feedback – At registration time – Needs to be positive and constructive – Might help an attacker! • Pro-active password checking – Prevent weak passwords – Checks at registration for compliance with password policy • Helpdesks – Many people prefer to interact with other human beings – Humans are more flexible Computer Security Management Page 17
  • 18. Single sign-on (SSO) • Enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again • Advantages: – Reduces user’s workload to a minimum – Reduces time spend with logins – Reduce help desk calls – Single point of recovery • Disadvantages: – Valuable to attacker (single point of attack!) Computer Security Management Page 18
  • 19. Challenge-response (1) • Authentication technique • An individual is prompted (the challenge) to provide some private information (the response) • Enrolment: – Challenge-response (CR) pairs generated randomly from database – User accepts a set of memorable CRs when enrolling • Operation: – Individual is given one challenge from set – If individual gives the matching response: authenticated Computer Security Management Page 19
  • 20. Challenge-response (2) • When enrolling challenge can be – Selected entirely by the system, or – Partly chosen by user, or – Partly selected from list by user • Response can be – Selected by the system, or – Chosen by user, or – Selected from list by user • Examples – C: Name of your pet? R: [open answer chosen by user] – C: Your mother’s maiden name? R: [input chosen by the user] – C: What do you think of the [input chosen by the user]? R: I think the [from C] [chosen by the user] Computer Security Management Page 20
  • 21. Challenge-response (3) • Challenge-Response pairs (CRs) two dimensions: – Usability – Security • Criteria for assessing security: – Guessing difficulty • Criteria for assessing usability: – User physical and mental workload – Administrator physical workload Computer Security Management Page 21