Opening Keynote Pt. I & II - Lorrie Cranor-FTC, Michael Kaiser-NCSA

due to technical difficulties we are joining the program already in progress uh they don't actually have um empirical data but they do a nice theoretical model and they looked at the notion of well you have an attacker who's doing a Brute Force attack against your passwords and if you have all your users changed their password then the attacker has to start over and so that's going to slow them down if every 60 or 90 days they have to start over with their Brute Force attack but they were able to model this and showed that actually it doesn't slow the attacker down very much and in fact you can have much better gains by using a slower hashing algorithm that's

going to be a much better way to slow down the attacker than to make everybody change their passwords every 690 days and by using a slower hashing algorithm you're not inconveniencing your user users they also point out that if you have an attacker that knows your passwords well they can install a key logger into your system and now when people change their password they can watch the user actually do that there's also some survey evidence that shows that changing passwords on a regular basis may not be all that helpful so uh there is some work that was done actually a while ago but I think if if you repeated this today you'd find very similar things where

users say when I know I have to change my password I don't put that much effort into creating a good password in the first place and so these users create weaker passwords there was also a study that my students did at kegy melon University and this is with um kegy melon users and their passwords so we set up a system so that when people change their password after words they were asked to fill out a survey and the survey asked them among other things how annoyed were they right now for having to change this password and we were able to correlate this with the password that they had just created and we were able to show that the people

who said that they were really annoyed really pissed off right now they were the ones who had the weakest passwords all right so I took all of this evidence and I put it together and I wrote a blog post about this and it was posted on the front page of the FTC webite one of the cool things about being the chief technologist at the FTC is I get to post these blogs on the front page of the FTC website and they actually get read by a lot of people and my understanding is that this particular blog post got forwarded to a lot of system administrators and I've heard that a small number of them actually changed

the policy now I've also heard from others who said I'm I I might be convinced but I still don't feel like I I can do this I still might get criticism I I need standards that tell me that this is okay um it's not enough just to see this on the FTC blog uh we got a lot of press coverage uh a lot of a lot of uh reporters were very interested in the idea that maybe this password expiry is not such a good idea I'm not the only one saying this in the UK cesg has also been saying that they blogged about this recently and they actually had a report that came out I think last year that explained why

this was not necessarily such a good idea and then in May nist came out with the preview of their new guidelines about passwords which uh you will hear about in a session later this morning but among other things these new guidelines suggest that you don't have regular password expiry so hopefully we will have this as part of a standard that people can point to so if password expiry is not really going to help us what will help us um there's all sorts of ideas that people have I want to highlight a little bit of research that my students at Carnegie melan have been doing to try to understand how we can help people make stronger passwords and one approach is

to address misconceptions that people have about passwords so we've done studies where we invite people into our lab and we watch them create passwords and talk to them about the passwords that they create a really common misconception is that keyboard patterns are secure we see people create keyboard pattern passwords and they're so proud of them oh aren't I so clever this looks so random but I just go diagonally down the keyboard and some of those people will even say yeah I know if I went across the keyboard oh that's probably bad but I went diagonal isn't that great um we need to make people aware that that is a misconception another one of my favorites adding exclamation point on

the end will make it more secure and of course we all know that that that is wrong but we have seen users in our lab create a password and they say oh yeah monkey's not a very good password but I'll add exclamation point on the end now it's really secure we did a study online um my student blae er uh LED this study and he presented it the spring at the kai conference in this online study we gave people pairs of passwords and we ask them to tell us which one is more secure or are they equally secure so I we're going to have a little audience participation here I want you all to try

this okay so I have two passwords and you guys are going to tell me by a show of hands whether the one on the left or the right or whether they're equally secure okay so we have I love you 88 and I eat kale 88 so raise your hand if you think I love you 88 is more secure okay raise ra your hand if you think they're equally secure and now raise your hand if you think I eat kale 8 is more secure okay well interesting we H we have some uh Split Decision here our study participants thought they were equally secure probably they looked at them and said well they're the same number of letters they have the same

numbers in them they're kind of similar but actually IE k88 is for trillion times more secure yeah so why is this well I love you is one of the most common words in passwords it's somewhere really big on my dress which if you haven't noticed contains the 500 most common passwords from the rocku data breach right if your password is on my addess definitely this is a time to change your password okay so so I eat kale 8 much more secure or until now um because apparently people don't eat kale or maybe they don't like to brag about it all right let's try one more which is more secure Brooklyn 16 or Brooklyn qy all right raise your hand

for Brooklyn 16 more secure okay got a few hands raise your hand for they're equally secure h and raise your hand for Brooklyn qy ah a lot more hands there okay so our study participants thought that Brooklyn 16 was more secure probably because they saw the numbers and said numbers and passwords are good but as many of you knew Brooklyn qy is 300,000 times more secure and the reason for that is qy is a much less common thing to be in a password than 16 and so it actually ends up being more secure so what we found is our participants were not completely wrong so they knew to avoid common names and phrases they just didn't realize that I

love you was a really common phrase they knew that digits and symbols were good and added strains to their password but they they were oversold they they thought that there were that they provided a lot more security than they actually do and interestingly at the end of our survey we asked them about what types of attacks they thought their password would have to withstand how many guesses do you think an attacker is going to make well some people correctly said a really really big number as many digits as they could fit in the little box we gave them but there were a lot of people who gave us on digigit numbers for the number of guesses in their

mental model of the situation they assumed only that online attacker and really had no idea that there were any other types of attacks that they needed to worry about so if that's the mental model you have it's going to be difficult to actually create a strong password and a lot of this is because of the feedback that we give users the password meters that are on a lot of websites don't really give users the kind of feedback that they would need to actually create a stronger password you know it tells you your password is weak and that you need to create a stronger password okay how do I do that most of these password meters don't really tell

you uh so my students in cgy melon are working on an open-source password meter that besides having a good scoring mechanism will provide what we hope will be really useful feedback uh to the users and that's that's um under development right now and hopefully you'll hear about it at this time next year all right so to wrap things things up I want to leave you with this URL if you want to see my blog posts about passwords and all sorts of other interesting things check it out at ftc.gov okay you find the uh the passwords blog uh you can also learn about my experience with having my um my mobile phone account hacked which was

another exciting incident um and I will leave it there thank you very much

nice dress thank you toori I hope you enjoyed that one um she will be around as I said for the rest of the day and probably also tomorrow our next keynote speaker is Michael Kaiser from the national cyber security Alliance and he's here basically to help you earlier this spring uh they were doing the world passord day I'm pretty sure all of you know about that day and he's here to talk a little bit what national security uh National cyber security Alliance can do for you and some other stuff as well so please welcome Michael [Applause] Kaiser thank you thank you per you know um it's really an honor actually to be invited to talk to you all this morning

you are really an incredibly important audience when it comes to cyber security and to how to build a safe and trusted and secure internet which is really what we're all about at the national cyber security Alliance looks like we have this going here holding on for one second it's okay you know I'll just start talking out about a little about NCSA for a second we are a public private partnership we work with government we work with industry we work with NOS across the globe to promote education and awareness and cyber security meaning teaching everybody how to use the internet more safely and securely it's up it's up it's up stre no that's no that's not his view that's a

different view okay so we work with companies all around the globe we work with nonprofits like the Better Business Bureau like educause which is the it professionals on college campuses anybody here from educause there maybe or an IT professional on the college campus try clicking there we are so these are the core initiatives of the the national cyber security Alliance I'll talk about these a little bit in a minute but I'm really going to talk about creating a culture of cyber security the stop think connect campaign anybody heard of that yes a few people you should all know about this National cyber security awareness month everybody should know about that and data privacy day these are all

programs that originated out of the national cyber security Alliance stop thing connect was actually developed with the anti-fishing working group for apwg and I know a lot of you know apwg here's our board member companies these are the people that support us uh with funding but also with some some power oops it's kind of going ahead there look I'm going to talk a little bit about a culture of cyber security here but let me give you some basic truths about cyber security we are only as strong as the weakest link it doesn't matter where you are in that chain if you're just a home user or you're all the way up to protecting the most important government

or or uh industry Enterprise any weak link affects us all the other truth we hold to be self-evident is that cyber security is a shared responsibility right that all of us play a role somewhere along the way in doing things to make the internet safer more secure and trusted we like to say that everything you do to be safer actually makes the internet more secure for everybody else right so that's a really important notion that we've tested with people and and is very strong but let's talk about how we talk about cyber security this is how we normally talk about it we make it scary right it's all these fear kind of Notions there are hijackers there are

viruses there's crime you could be attacked you could lose things you could lose your identity all those things these are the outcomes of bad security and we make it scary we tell people lock it down don't use it don't do this don't do that how many of you have teenagers and if you give them a don't rule you expect them to follow it not going to happen that's human nature when you tell people don't do things they're not going to listen how many of us talk about putting up walls between us and what we want to do online right that's the way we talk about security if you're in security you need to talk this way right this is your

discipline this is what you do but when we talk about educating people to be safer and secure online if we tell them you're not allowed to do things don't do that they're not going to listen to us so we should never be surprised when they don't follow the rules but what have we talked about security as enabling what have we talked about building a safe and trusted Internet isn't about stopping people from doing things building walls around what they're doing but actually good security allows you to do the things you want to do online it lets you join communities be connected with other people it allows you to engage in Commerce it allows you to engage in content and that's the way

we start talking to people about cyber security and being safe online about enabling them to do the things they want to do as opposed to stopping them from doing the things they want to do this is a change in the way people talk about

security so why would I have a picture of a telephone in a cyber security discussion and not just a a telephone an analog telephone a rotary dial telephone that's outlived its usefulness because when you think about it the internet is a transformational technology right the technology we're doing is changing the world well guess what that device was a transformational technology as well right before the telephone the way we communicated people was totally different and there's something about this pots or plain old tele telephone service that was really critical to its success over time and that was when you picked up that receiver there was a 99.9% chance that you were going to get a dial

tone right that was what they lived by and it was safe it was reliable and for the most part it was Secure we can go into some discussions about that obviously there are ways to get into telephone calls but in generally it was considered to be secure if it hadn't been if it hadn't been all those things the telephone wouldn't have been a transformational technology and by the way it took 40 years from the introduction of the telephone to like more than 40% of Americans actually had one in their house when you look at smartphones it took 7 years from introduction to like 60% adoption and like 10 years it was like 90% adoptions so the way this transformational

technology rolled out was also in a different time frame but remember the foundation of this was safety security and Trust that's what made the telephone a success that's what allowed it to transform and that's why we need Security in the internet so how do we go from this world of fear pain loss to the Happy internet right the happy internet we're all connected everybody's doing everything they want to do on the internet we're all you know we're chatting we're texting we're posting we're making sending emails we're doing work we're connecting with families we're connecting with people we've never met across the globe we're creating communities we're doing all those great things how do we get

there we create a culture of cyber security right a culture of cyber security what does that mean a culture of cyber security it means that you can move through the world doing all the things you need to do to be safe and secure online and that everybody learns how to use this technology safely and securely that's what we need to do so let's look at a couple of Transformations that we've made right so we used to be a garbage Society right people got stuff they used it they tossed it in a can right maybe it piled up on the streets side we all remember maybe some of us are old enough to remember how big litter was as an issue

back in the day right maybe some of you you know know you know you'd go by the road there'd be cans there'd be bottles there'd be garbage everywhere cities were disgustingly dirty but we've moved right from a garbage Society we're on the path to a recycling Society now are we there yet I don't think so are we closer than we were absolutely I mean you know think of think can you think of the time that you were in a place that didn't separate at some well some level the garbage that you were generating in that space whether it's a hotel room a conference room your office right so we're on our way to that whether it's at

home you have to separate the things we used to be a smoking Society we had a smoking culture right you could smoke anywhere anywhere you wanted to smoke there was no rules about smoking right you could smoke anywhere and it was perfectly accepted as a normative behavior is smoking currently a normative Behavior are you on the right are you normal if you smoke or AB I don't want to say you're abnormal if you smoke but really generally you know it's agreed upon that smoking is not the social behavior that we're trying to encourage are we a non-smoking society yet not yet right even here in Las Vegas I think there may be some casinos that

don't allow smoking some still do do um you know we still have cigarette smoking available it's been pushed to the side in many places but we're moving in that direction how long did it take to move in this direction this did not happen overnight Right Moving from a to a recycling Society moving to a non-smoking Society takes a a whole bit of time so how do we move from the Panic of the internet right and the really represents the way I think a lot of people think about the internet oh my God I'm going to be hacked look what just happened on my phone how did this person get here why am I getting these

posts how come people are posting these things about me uhoh maybe somebody stole my password right we call that our effort is stop think connect right we are looking at stop think connect as kind of that Universal message for safety on the internet we have stop drop and roll for fire safety stop look and listen for railroad crossings stop drop and take cover if you're from California or from earthquake country this is a very simple message which is explainable to anyone about being safe online this is an Uber message we'll talk about a couple other messages in a second let me say that very simply it represents this stop make sure you've taken security precautions

like upgrading your software like strong passwords or multiactor authentication like patching all your systems right think about the consequences of your actions and behaviors online remember that much of security is not only technical not only it's behavioral it's what people actually do right it's what they post it's what they share it's the kinds of things that they do online and then the connect piece is really simple it's back to that thought of connect and enjoy the internet and enable yourselves to do the things that you want to do online right and that's really what stop thing connect is all about I will tell you that this message which was created in 2010 was created by 25 companies and

seven federal agencies working by consensus over the course of a year we did consumer based research we went out we talked to Consumers we we tested a whole bunch of messages excuse me we tested a whole bunch of messages across the E with people and this is the one that they like the most this message and I'll talk a little bit sorry I'll talk a little bit in a second talk a little bit in a second about how you can join this but it's currently being used by more than 600 Partners in 20 different countries across the globe this is becoming the message this is becoming the look both ways before Crossing of security and

that's really what we intended it to be so thank you for the water really appreciate that try not to spill it on the the computer up here so I'll talk a little bit about more and stop thing connect but since I was invited here uh by pi I want to talk a little about passwords as an example around messaging that we need to look at right I think Lori did an amazing job talking about some of the issues and she raised some of the ones that I think I'm going to talk about a little bit as well but I think it's important to look at so where do we go from here I mean passwords even

though a lot of people stand up and say they want to kill the password dead right it's not dead yet I don't think it's going to be dead for a while and it's still going to be critical right user the role of users in developing passwords is not going to go away we're not going to start assigning passwords to people at any time soon so we're counting on them to know what to do and to do it well right that's still a really important part of passwords and here's the good news it can't get much worse than where we are today right we still know that password 1 two3 or 1 2 3 4 5 6 78 or password two3 or I love you

as Lori pointed out or last year I think monkey was on the list are still the most popular passwords so the bar is very low for Progress um but we have to make progress so why have we failed in passwords what's gone wrong right so first of all the long and strong passwords that we tell people to do are not designed for people with numerous accounts we all know that right too many too many accounts too many passwords too many unique passwords we are human beings we are incapable of good memory um just you know just as Lori showed right there's inconsistency in what sites deem a strong password right we as the community have not communicated

clearly back out to our users what is a good password and different sites use different ways for determining what a strong password is that already you lost me at different sites if I'm a user and I have to have a different framework for making a strong password on every single site I go to very very difficult for me there are too many messages about passwords and I'll talk about this in a second um advice is often technical right right you can see people go blog how to make a strong password and you'll see all this technical advice about how to do it do this do that add this add that very very technical people do not

like technical advice when we did uh the stop thing connect research one of the strongest things that came back when we asked people you know about being safe and sign they said give me Common Sense advice that's in my control that I can do and I will be more secure online and I will help you we don't even have agreement on what makes a good password right we don't agree on this some people say you've got to have numbers and symbols some people say it just has to be long some people say you have to have capital letters we are not communicating clearly to people what makes a good password we all have ideas about what make good passwords as

security people we all have our own Notions we have some research which shows one thing over the other but even doing the little test that Lori did you could see that there's some disagreement in the room about what makes a good password so we as The Messengers and we are The Messengers on this issue need to look at that uh in Greater depth the other thing is that um when we create messaging often um people will say I have the perfect system for creating a strong password how many of you have your own system for creating a strong password a lot of us right how many of you been asked to share that system with

other people right how many of those other people could actually use your system see some people believe that but I'm telling you for every you can't have 9 million systems for creating a strong password that's too much to educate people on right so this is an issue right about how we educate and I I see this all the time you can go look there are tons of blog postings about I have the perfect system for creating a strong password and when you read it you'll realize that no one else could do it but you so good for you right but maybe not transferable to everybody else and that's been part of the issues on the

password piece oh sorry I got a little cut off here but this is so this is sort of making some this is looking at some messaging so here's the way we've changed our messaging a little bit right make a better password not a long it used to be long strong and unique right make a better password I guarantee you not 100% but if you start asking people they will tell you they know that their password's no good right you don't have to have them because they know if you ask them is your password any good they'll probably say it's not so make a better password just make it better whatever you want to tell them to make

it better make it a little longer make it something like that but don't just say every you know if you say every account after to Long strong just make a better password tell get people to rest on their own sword ask them how good are your passwords right they're going to tell you they're not very good okay let's make them better right I think Lori really this was her presid you know only change them really this is important if you want them to have a long if you want to have a strong password only get them to change it when it's absolutely necessary I think is really helps them remember it you know it encourages them to do a better job I

we totally agree with that start by focusing on core accounts one of the issues in messaging about passwords is that we say you've got to have long strong and unique passwords right well people could have 20 30 40 50 60 different accounts right that's not possible so what is it you know in security we always talk about you know protecting the core right getting around you know building up layers what's the most important account you have right for me when we talk about about this in the media and people to ask me about this question I say the most important account you have is your email account and that should be the that should be

the account with the most strongest entry access as possible the strongest way to get in why is that pretty simple right if I can get in your email account then most likely I can reset your password on every other account that you have so even more important in some ways than your financial account and also your Banks's probably doing a little more on the backend authentication to make sure it's really you anyway to start out with but those core accounts we've got to focus people on the things that are common sense that are in their control and that they can do really important and encourage the use of tools where appropriate at NCSA we don't

promote tools we don't recommend tools but there are obviously a lot of tools out there around passwords and account access that can be used we are certainly very much in favor of using other things beyond the password we think that's really important right now we're working with the White House and in Industry about developing a campaign that comes out of the cyber security National Action Plan uh from the president about developing a campaign about educating people about stronger authentication um and the many many different ways that it will be available to you but you know people have to also get ready to use those tools they're not necessarily widely available and we're not saying that just because a service doesn't use

some form of stronger authentication that that it's not secure right but obviously that's the way the world is moving so that's some messaging that we can think about about um and then let me just talk about NCSA a little bit because that's what per really asked me to do a little bit so people know about you we are the education and awareness folks we do do a ton we have a ton ton ton of materials that can make your life easier if any of you have jobs educating people on this stuff we have tip sheets we have posters we have videos across many topics we do all kinds of editorial calendars this year we did safe and secure online

digital weddings right almost every bride now plans her wedding online why not get to her while she's doing that and teach her about other things in cyber security you know when you speak to a potential bride she doesn't want to lose all the family photos right that were taken and posted online she doesn't want all this personal information about her guests released to the public so we do that we do online travel we do kids going back to school we do all kinds of topics that we do all these kinds of materials about on stop think connect which I'll also talk a little bit more can access materials that can be branded through a free license like I said

there's 600 Partners across the globe to put your campaign with the Uber campaign right the ftc's for example their on guard online site which is now on the FTC main site uses stop think connect DHS the Department of Homeland Security is our partner in disseminating we have many many corporate Partners from from Google and Microsoft and others who use this we have tons of nonprofits across the country that are using we have local police departments we have uh schools we have municipalities you name it there are people who are doing this and what this does is what's really important in all of this is that we have a harmonized message and that's what stop think

connect is right you cannot have 500 messages about how to stay safe online people will not stick with it that's what we learned uh when we did the research for stop think connect um we organize the community around awareness we have places that people can plug into us and tell us what they can do what we're doing and um for those of you who don't know we have a Super Active social media uh presentation we have uh and I got some resources at the end here but um by the way my Twitter my Twitter handle ISM Kaiser NCSA and if you have questions and you want to tweet them to me today I'll try and answer them for

you um or anytime actually but um please feel free to do that um social media is very important to us so here's just an example of like some of the kind of collateral that we connect collect these are mostly like web banners all branded to stop thing connect right people can take these these kinds of things put them on their website and direct people to their own resources we don't demand that people you know reflect them to us just an example of the kinds of messaging we have right own your online presence really a message about taking control of your social media presence about again thinking about what you post make the internet safer for everyone

that message safer for me more secure for all um you know uh just some general things and we do have many many languages now of stop think connect because it has gone Global in many different ways so some of the things like I said cyber security awareness month is in October it's four four weeks every week has a theme from staying safe online generally to uh cyber security from the break room to the boardroom looking at cyber security inside companies we'll be looking at iot really not only iot very broadly the connected devices this year from the connected car to the connected home to the connected Enterprise how are we going to secure that space as well um

we'll be looking at uh some other issues as well we'll focus on some special populations like seniors cyber security awareness month which was created by NCSA and the and the federal government Department of Homeland Security Now is in Canada it's EU wide it's a week in Australia and it's being developed and pregated throughout South America by the organization of American states we believe in just a few number of years that October will become the global cyber security awareness month for everyone so that's what we're working towards that is all organic growth on its own stop think connect as I said you can sign up for that and data privacy day in January NCSA believes very strongly that security and privacy

are deeply related um our theme is respecting privacy safeguarding data and enabling trust we believe that you have to respect personal information you must Safeguard what you have and that builds trust and so finally here's some resources on us here's where you can find us please come and see us come to our Facebook page hit us up on Twitter ask some questions I really appreciate the opportunity to be here today I think you guys have a phenomenal crowd a great conference and please let us know in any way that we can help you make make your work easier thank

you