Password Hell: Accessibility Challenges In Cyber Security

Thank you so much. Uh, welcome everyone. My name is Anna. I am a cyber security student from Manchester Met. And as has been said, I'm going to talk today about the accessibility challenges within cyber security, more specifically password policies. Um, as a disclaimer, this is not the only accessibility issue in cyber security. There are many. Uh this is the one that I chose to focus on for this talk. Uh but maybe I'll do some others in the future. And I'm going to talk about why um I have decided to do this before going on to the what I do promise it does link. Um so there is a lot of people that are disabled and it doesn't get talked

about. I am myself disabled as well. Um, and there isn't many people that get the opportunity to actually talk about it. And I think the more that we talk about it, the more good that we can do. So that is why I'm doing this today. Uh, just want to help people. So what is the actual issue that we're facing? Well, the world is a great place and there's a lot of technological advancements. However, it severely lacks accessible technology. We are putting funding all into the good new shiny things and not actually in the function of how those shiny things work, making things very frustrating for disabled people. Um, now why is it an issue? I assume we all know

why, but if that number up there doesn't scare you, I know it scares me. 24% of the population in the UK are disabled. that is only reported statistics and as we know it is so hard to get a diagnosis and for that actually to go through um so in reality that is a much higher percentage. Why is this an issue? Well, if you're not being accessible um you risk the lower employment rates which we have seen it's in all the statistics disabled people do have lower uh lower employment rates and that is because of the accessibility challenges that we face. One of them being passwords which links to uh account access. You know everything nowadays

requires an account. Uh even logging into Indeed requires an account. So if you even want to get a job you need an account and well unfortunately those aren't accessible to most people. And well if we are not being accessible we are excluding 24% of the population from getting a job which to be honest terrifies me and I'm sure it terrifies you too. So, as a little example, I have my wonderful password that I created I think in November of last year. I still haven't remembered it. It has been what almost nearly a year. Still couldn't tell you what the password is, how to include it. No clue. But it is a strong password. Like employers will say that that is the

perfect password. Use it everywhere. Well, don't reuse passwords, though, but use it. Um, and they don't actually take into account how inaccessible this actually is. I mean, for starters, it's too complex. Um, anyone even trying to type that out if you have any sort of mobility issues, you're just going to give up by the second letter, I think. Um, it's also it's too hard to remember. As I said, I don't have any cognitive disabilities, but still haven't remembered what this is. Um, and it's also way too hard for assist of technology to help. If you rely on text to speech, imagine saying that. You're going to have such a hard time. It's not going to be fun for

anyone involved. So, I'm going to talk about some of the main accessibility challenges. Um, as I just said, assisted technologies, it's usually the main thing that people go to being like, "Ah, just use assist of technology." Um, it's great when it works and the unfortunate part is it doesn't work majority of the time because it lacks research and it lacks funding and people aren't pushing it forwards as much as they should be. Um, the main thing with assist of technology is UIs. If they aren't compatible with the assisted technology that's trying to use it, you're not going to be able to read what's on the screen. I mean, imagine trying imagine having visibility issues and you've all

of a sudden gone onto the password creation screen and you can't actually read what it says. So, you're not actually going to be able to make a password in the first place to access your account. Then we have the fact that there is a lack of clear security policies and also just a lack of accessible knowledge in general. We've all seen it. We've all got frustrated when you go on, you try and log into a new shiny social media and it has like 10 different rules that you need to abide by with their security policy because of passwords cuz they think that's more secure. It's not. Just creates frustration. Um, and especially for people that are disabled.

I mean, if you already struggle to type in a password, having to type in one that one is secure, two abides by all the rules that you need to, you might as well just give up. You're not going to have a fun time. And then the accessible knowledge. People, if people don't know how to be secure, how do we expect them to be secure? And the problem is the knowledge isn't accessible. It's not written in an accessible format. It's not written accessibly. Um, and there's just so many issues around just the actual knowledge of it all. Um, which makes it a lot harder for people to be secure, which leads to disabled people becoming more

vulnerable targets. And then we have complex authentication methods. There are ones that are better than others, but no authentication method is 100% accessible. I'm going to talk about some of them now. So, one of the main ones that people love to do is password expiry. I hate this with a passion. Loath it. Every 6 months they expect you to change your password. What ends up happening, as I'm sure we all know, is you just add a one on the end. You add a one, you call it a day. It's not really secure, but people love to do it anyways. Um, for people who are disabled, this is even worse because imagine you have a cognitive issue. You

forget that you've added an extra one. You can't remember that you've added an extra character. What are you going to do? You have to call up the IT department. You have to be like, "Hey, can you please reset my password?" So, more resets on top of resets. No one is having a fun time, especially the poor IT man who has to handle 100 requests a day. We then have multiffactor authentication and biometric authentication. Now, while this is one of the better methods, it's one of the most accessible methods that we have currently, it's still not 100% accessible. Um, you one usually require a different device to even be able to do it. Um, two, if you have again any cognitive issues

and you see a pin. I mean, I sometimes I don't have any issues, but sometimes I see the PIN and it completely wipes out my mind. I have no clue what that PIN is. It's just timed out. I now need to go through the whole process of getting inputting the password to input the PIN to access my university account. Then we have the fact that um you sometimes you need to use biometric login with multiffactor authentication. Um, if you struggle with any kind of mobility issues, I mean, my phone works on a good day, works like maybe 30% of the time with my fingerprint. Usually, I just use the PIN cuz it's a headache. Now, imagine only having biometric

authentication and you need to view it and you have a Tremor in your hand. I'd give up to be honest. Um, and then we also have knowledgebased authentication. Now this one is going out of practice thankfully. It's not secure anyways. But one of the main issues um that we face is that it's still used and it's also one of the methods that is quite case sensitive. So you remember your first pet's name but you don't remember that you put a capital in front of it. All of a sudden you're locked out of your account. You can't get back in it. You don't know why. You need to password reset again. Resets on top of resets. It's not fun

for anyone involved. So what can we actually do about it? Because whenever I talk about this, I like to provide solutions and not just ah everything's bad. So one of the easiest things that we can do is clear and accessible language. Um if you are writing your policies in a way that a 10year-old can understand it, you're doing great. you need to simplify it down so that everyone can understand it and that's the best way that we're going to get people more secure because then if they actually understand the knowledge that they're given they're actually going to use it. Then we have compromisebased policies. Please stop using password expiration policies please. Um compromisebased policies are just better. If you know

that a password has been compromised, then change it, then reset it, then you can put it on your banned password list so that person can't reuse it cuz you know they'll want to. Um, and it's just better for everyone because it leads to less calls to the IT department. It also leads to people being less frustrated that their password is getting reset so often. We then have a password manager. Now, I think this is coming more into force more that the more that we talk about it. Um, one of the great upsides of password managers is they stop you from reusing passwords. I mean, I've done it. So many people have so many different accounts. You're not going to

be able to have a unique password for every single account. And again, as security professionals, we care more about our own security than the average person. They do not care. if they could, they would get away with putting password 1 2 3 into every account that they see. Um, so having a password manager gives you that really complex password that everyone seems to love and it makes it more accessible cuz you don't actually need to remember it. You just click the little save button and then every time it pops up is they're like, "Oh, can you please authenticate it?" And you already have MFA anyway, so you can do a little biometrics or a little pin and then it's done. You can

access your account. It's a lot easier for everyone, obviously. is still not 100% accessible but again no current methods are. Then we have voice authentication. Um this was one of the things mentioned in uh a study called as usual I needed the assistance of the scene person. I have cited it there. Um and people were interviewed disabled people were interviewed and the most number one request that they asked for was for there to be more voice authentication. Obviously, there is not enough research around it or enough funding. However, I do think it is a possible consideration for the future. Um, and I think companies should at least consider some type of voice authentication. Uh, especially cuz it'll just be so useful

in public spaces. Um, if someone requires text to speech, you don't want to be saying it out loud. But if you can be uh voice authenticated, you can just be having a normal conversation and all of a sudden you're in your account. No one has to know. Then instead of having that massively complicated password, we can use something like dog tree lemon one. Now this is what it's coming more into practice now. I think it's the most uh secure way to do passwords if you are going to do them. Um, and it's just basically a passphrase. Just have three words that are not linked to each other whatsoever. Um, and have like a random number or special character in the end

just to fulfill that security policy cuz they they love to add in a special character or a number. Um, and yeah, just put it in. It will work. It will still be as secure as your really complex password, but it's so much more usable. People can actually remember it. They don't need to reset their password. They don't need to ask you to reset their password for them because they're just going to remember it. And then the final one, which is probably my most controversial take, and it's storing passwords physically. Now, what I mean by this is write them down. Now, I know we've all been told don't do it. However, if we think about it,

the the pros and cons of it, I mean, the pros is you don't have to reset your password. You have them all written down. You know what they are. The cons is obviously someone can take your little book and they find all your passwords. However, what are the chances that someone's going to break into your house, find that nice plain notebook that looks nothing like a password manager notebook, steal it, and then actually know how to be able to use it. the likelihood is very low. So I think the risk or the benefit outweighs the risk in this scenario especially for people who are disabled. And it also helps if people need the assistance of

someone else. Obviously people who are disabled want to be independent but sometimes it is required to have someone else's assistance. If someone else has access to all your passwords it makes it a lot easier with communication with them. So in conclusion, nothing is as secure as we think it is. In fact, you don't want anything to be 100% secure because then you can't actually use it. It's one of the main principles in the CIA triad. Uh which is if a system is 100% confidential, it is 0% accessible. You might as well not make it. Um so that is why I think that we need to focus more on the actual usability um rather than how confidential how

secure things are. Um especially because you know most things aren't like I don't know the government's top secret things that they need to keep hidden. You don't need to be that secure when all you are is a social media website. Um you then have communication. I think this one is really important. Um accessibility is not a one-sizefits all. You know all the things that I have recommended may not be the best thing for one company. It may not be the best thing for another but it may work for someone else. Um and I say this because every disabled person is different which means that every solution has to be different. You have to speak to people. You have to

ask them what do you actually think works for you? Like the voice authentication, I never thought of that for me, but clearly it's something that other people want and it's something that's accessible for them. So if we actually speak to other people, we might get somewhere that's a little bit more accessible and that helps a little bit more people. And then just in general, I mean, I'm sure everyone here is, but just be mindful. This affects again 24% of the population probably much higher. Do you really want a quarter of your customers or a quarter of people to feel ostracized and excluded from something? I mean I wouldn't. That's why I'm talking about it. Um and obviously it it does affect

them cuz we did see like there is lower employment rates because of this. So we really need to be mindful about how we create things. Don't focus on the shiny new design. maybe focus if it's accessible and if it's actually usable and functional um that would be a lot better. So, thank you so much everyone for listening. There is my LinkedIn if you want to connect. My email is also there if you remember something after the conference you know they're like oh I want to ask Anna I will respond I promise but thank you so much for listening and if there's any questions I'm happy to take them.

Thank you very much. That was really interesting. Any questions? Oh, got one there from near. Um I'm actually responsible for writing policies like password policies where I work and we have to implement the payment card security probably the most commonly security framework in place in the current version. Now admittedly it mandates it for certain secure areas of business. >> Yeah. But it comes to accessibility or so I thought we made

sufficiently

but also because we want to be able to now what I've done is inadvertently All of our systems now have expiry because this very important framework. So in your opinion, am I better at creating multiple policies for different systems and expecting our users to know what policy is for depending on where they are in the network >> or am I better off maintaining the password? That is a really good question. I think obviously I am just a student so I don't know the ins and out of the corporate world just yet but I think it would be better to have different policies for different security levels if that makes sense just because a service desk user wouldn't

need to have their password expire every 90 days but someone who has complete access to all the documentation probably does. So in in that case, I would create different policies for different levels, but I would make sure that each level is aware of which policy applies to them and make sure that you don't have to like give them the whole policy. You can just be like, here's a nice little PowerPoint that has all the bullet points of the main things. Um, so that at least everyone understands the bare bones of it. just so it's a lot more accessible. And then obviously again speaking to people if if those people in the higher levels are having a real issue with the fact that

their password expires every 90 days, I would probably review it and and look into that. Next question.

>> Probably is is is my answer. Obviously, obviously it depends on what exactly you do, but I think pass keys are are probably the the best solution in that case just because uh password expiry it's so it's so insecure just in general. Um just because obviously unless you have something that enforces that they completely change the password. Um, what people will usually do is just add like a 1 2 3 or an exclamation mark at the end. Um, and that's like that's very easy to guess as well cuz if it's already been compromised on the main one, all the brute force attackers need to do is just add a dictionary that goes through all the other letters and keys

on your keyboard. Just add it onto that. Then they can be like, "Oh, this is their new one." So, I think pass keys are better. I think it also depends. >> Resourcing is one of those things, isn't it? >> Yeah. >> Thank you so much.

>> Any other questions? Anyone? >> Um, one one thing I've been at Google 5 years, never had to change my password once. They do believe in accessibility. Um, but as to writing down passwords, this is a weird thing I did a long long long time ago because I journal and I have one page in my journal that is this big long full page of thing and then I have this little template that I lay over it and there's all my various words combined that make up my various passwords, but they're kept separate. So if somebody takes my journal, >> oh well, they'll never figure it out. That's such a creative idea that I hadn't thought of, but that is really

creative. Yeah, >> it it's I I wanted to say like every fourth word. No, that won't work. I'm going to struggle writing it and people will figure it out. But if I write the words and fit them into the sentences and then okay, now just make a template that I lay over. Oh, okay. Now you can see and it's so much easier as well because we all have like tens of different accounts that we need to keep track of. We don't want to reuse passwords but sometimes that's just the easier thing to do because you don't want to remember 10 passwords. So having it written down somewhere again like the the benefit outweighs the risk like what

is you know >> what is the chance that someone is going to come into your house steal your journal >> and if I make sure that it's like decode it as well. >> Yeah. When I die I want the people that are executives to my will and all this they know about this and they can come in and figure out how to get in all all my accounts and it follows your rule the words which I love. Although I think you had related because you had dog at treat

enough. >> That is also true. That is also true. Maybe not the best example, but >> but it's still that's different from what people think. What kind of passphrase can I use? >> Oh, definitely. I use I use the passphrases for all my accounts now cuz it's just so much easier to remember a three string of words than it is to remember just I mean the the massive strings of like special characters and numbers and stuff like that. So because before I I'll be honest my passwords were really bad. It was one word one two with an exclamation mark. That's it. And that's not it's not secure cuz as soon as the one word and the one two gets

compromised, you're done. >> I kept telling my upstairs neighbor, "Change your damn Wi-Fi password." She she added one, but then 3 months later she added another one and then she added another one. Now it's got 18 ones after it. >> And it doesn't help cuz it just just makes them more insecure. Like if they know if attackers know that this is the common thing that people do, they will just keep adding ones until something hits and then they'll be like, "Oh, that's that's a correct one." So that's why I think it should be compromised. And then also implementing a banned password list um just so people don't try to reuse the same one and then also

just put a one after that. I tend to words wherever I'm at random. Random just doesn't work. But if I'm sat I need to have a password. Okay. What's over there? What's behind me? >> Um I'm sat in the space. Nobody's going to know

that absolutely nothing. And I might remember this is where I was when I created the account. I can see something new. >> Yeah. >> No, I was looking at Anna and I came up with a new password. Speaker window curtain. >> And a lot of people use that because it also it ties your account to a physical location as well. And you it's been proven that if you tie things to locations, it helps memorization as well. In a past life, I used to deal with victims of identity theft and I spoke to I used to set the passwords for them. So because they were always concerned that someone would try and impersonate them. So I would pick objects in the room I

was sitting in the office floor and give that as the password that person because they knew it would have to be only that person who could ever possibly know it and it wouldn't be able to be compromised but someone be able to guess oh I know what they you know what street they live where they grew up and things like that. And again a question for myself >> is when we're talking about the voice authentication obviously we've got the addition of AI in the there is there a concern you've got for the misuse of AI to be used to compromise the voice authentication >> with that one yes um if I go back the study was done in 2023

so it wasn't AI wasn't as popular back then I do thing because obviously we now have the deep fakes and everything. I think it's it's a lot more concerning for the people that are higher up because if you're higher up, you're more likely to be known. You're more likely to have things on the internet with your voice on it. For your normal day-to-day customer, probably the risk out or the benefit outweighs the risk in that regard. But I think if it was something to be implemented and actually like properly researched, I think that um for the people higher up, probably not wouldn't wouldn't try. But at least for like the baseline customers, baseline uh employees, it's worth having a go and

seeing will it work. >> We have another question. Just on that comment, I pretty interest

>> that is why whenever I get a scam call cuz I am paranoid about that. I I always one I always wait for them two I always uh make sure that I never say yes or no during it so that at least they don't have that snippet of me saying yes or no because if if someone if someone like calls up and is there like hey can I access so and so's account can you please authenticate it with your voice they have the yes snippet so they can just say yes so I if there is a scam All I personally try to avoid yes and no. And normally it's there like oh I I heard you're with Virgin Media and

I'm there like I'm actually with three and then they usually just hang up after that. One of the things is I think with the whole voice authentication thing I don't think people start to realize that is if you're talking to somebody you're like signaling protocol >> the ability to capture that even at the other end calling you >> wire packet capt. Yeah. >> And there's many tools on the internet now where you can communicate people saying whatever they like with their spoken voice. >> It is it is definitely like >> I think voice authentication is going to be one of those risky areas. >> It's definitely going to be a risky area. If it if it gets researched and

funded properly, I think it might not be risky. However, we do know that it probably won't be researched and funded properly given just just out of a hunch. Um, so it is definitely something that we have to be aware of. But obviously if it's if it's the only way that someone can get into their accounts, it's the only way that they can get into their account. And I don't think there's any two ways about it.

Well, thank you very much, Anna. And >> thank you