Usable Security Final Exam Quiz Answer

By University Of Maryland

About this Course

This course focuses on how to design and build secure systems with a human-centric focus. We will look at basic principles of human-computer interaction, and apply these insights to the design of secure systems with the goal of developing security measures that respect human performance and their goals within a system.

Week 7 - Final Exam Quiz

Q1) Company ABC's password policy has always been that the system generates passwords for its users instead of letting them pick their own. The passwords are random 8character strings with upper and lower case letters, numbers, and symbols for users (e.g. "48j4Z.mp"). Every six months, the password is changed to something new. Because password resets are a security danger, users are not allowed to reset their passwords if they forget them. Instead, they need to go to the company's IT office which looks up their existing password and gives them a printout with the password on it.

(note: this is a true example - I worked at an organization that had exactly this policy)

Answer the questions 1-13 about Company ABC's policy,

True or false: the passwords that the system generate are very hard to crack?

True

False

Q2) Which method would work best if trying to crack one of Company ABC's passwords Brute force

Brute force

Dictionary

Common Word

Q3) What is the biggest usability problem with Company ABC's passwords?

Employees don't like them (user preference)

They take a long time to type in (speed)

They are hard to remember memorability)

It is too easy to make a typo while entering the password (efficiency)

Q4) Which of the following is the most likely response to Company ABC's password reset policy?

People will lose work time trying to memorize their new passwords every six months

Users will write down their passwords

Q5) True or false: a policy that allows users reset their passwords automatically (e.g. if a user forgets their password they can enter their user ID and have a new password emailed to the address that the IT office has on file) may lead users choosing more complex passwords.

True

False

Q6) True or false: a policy that users reset their passwords automatically would be more usable

True

False

Q7) True or false: a user-chosen 8-character password would be more difficult to break than the existing system-generated passwords.

True

False

Q8)True or false: a user-chosen 8-character password would be more usable

True

False

Q9)True or false: a user chosen 8-character password could be more secure

True

False

Q10) True or false: an automatically generated password that combined 4 unrelated common words would be harder to break

True

False

Q11) True or false: an automatically generated password that combined 4 unrelated common words would be more usable

True

False

Q12) True or false: Increasing the usability of Company ABC's password policy would lead to greater security

True

False

Q13) True or false: There is a conflict between creating a usable password system and the most secure password system

True

False

Q14)Company XYZ is a defense contractor. They need to make sure that only authorized people enter their facilities. They have decided to install a new biometric authentication station outside the gate that protects the parking lot. Employees will need to authenticate in order to be let in. Answer questions 14-20 about Company XYZ.

How should the security system be designed?

The designer should look for which biometric authentication systems are easiest to implement

The designer should choose the biometric authentication mechanism that has the most support in her preferred programming language

The designer should rely on her own experience entering the gate to decide which authentication scheme will work best.

The designer should sit at the gate during the busiest time of morning and evening and watch people come in and out

Q15) If someone tries to authenticate and they are not recognized, the system designer is considering adding a delay before they can try to authenticate again. Which is the best delay?

No Delay

10 seconds

10 minutes

Q16) A survey shows that a surprisingly large percentage (25%) of employees ride motorcycles to work, the standard protective gear of helmets, leather jackets, and gloves. Which of the following would be a poor biometric tool based on this fact?

Voice recognition

Free gestures

Face recognition

Q17) The designer has decided to use a free gesture system to authenticate people, but the hardware for a gesture-detection system that is weatherproof is very expensive. As she is eating lunch in her office, she is contemplating the next step. What should she do?

She should make the system work on her computer with hardware she has and test it in her lab. If it works there, she should buy the expensive system and implement it at the gate.

Her lunch's pizza box is about the size of the gesture reading hardware. She should paint the box and position it at the gate where the real tool would go, and then ask people to pretend to authenticate as they come in so she can get information about the process. If people don't like it, she can revise the design

She should buy the hardware and implement the system, followed up by training for employees who have trouble. Since she is a designer and security expert, she knows that this system is the best way to go.

Q18) The free gesture system is implemented, and all employees have stopped by the IT office to teach the system what their authenticating gesture is by entering it on a touch screen in the office. A couple weeks later, people who drive SUVs start complaining that they sometimes need to enter their gesture 4 or 5 times because it is not recognized (probably because they are making it from an odd angle - their cars are high up above the device where they enter their gesture). What type of usability problem is this?

Speed

Memorability

User Preference

Efficiency

Learnability

Q19) What is a good solution for the SUV drivers?

SUV drivers should be given additional training on how to properly enter a gesture

When they teach the system what their authenticating gesture is, they should do it from their car rather than in the IT office so there is a better match between their "true" gesture and what they enter when they drive in

SUV drivers should, instead, be required to type in a password on a touch

Q20) After a while, the IT office complains to the designer that people keep coming in having forgotten their gestures. This is a problem because traffic backs up when a person can't remember the gesture, it takes a lot of time to reset the gesture, and people are trying to get around the system by closely following the person in front of them through the open gate. The designer decides that from now on, when people create new gestures, it should be the person's normal signature. Which usability aspect does this improve?

Speed

User Preference

Efficiency

Memorability

Learnability

Q21) Answer questions 21-24 about Company 123.

Company 123 is creating a social network designed to compete with Facebook. They begin by copying Facebook's interface exactly, except they change the name and make it green instead of blue. How does this help usability?

It is faster

It lets users rely on existing mental models

Q22) Company 123 writes a privacy policy that is written in easy-to-read language at an 6th grade reading level and is exactly 1 page long when printed and that covers all the major points of their privacy - mainly, that no data is ever shared except with people the user lists in their own privacy settings. Which of these five pitfalls does their policy avoid:

Lacking coarse-grained control.

Obscuring actual information flow.

Emphasizing configuration over action

Obscuring potential information flow.

inhibiting established practice.

Q23) Is a 12-year old in 7th grade able to give informed consent to this policy?

Q24) A designer at Company 123 is considering changing their login interface so the password box shows the last character typed for 1 second before changing it to the standard star or dot that prevents over the shoulder attacks. They hope this will help people spot when they have made a typo as they enter their password. How should she determine if this is a good change to make?