<strong>Security</strong> aspects:• Confidentiality: in this aspect the property that information is not made available to unauthorizedindividuals is important. Passwords in the ‘high’ password complexity categories lead to behaviorforbidden by many security policies increasing the risk of being obtained by unauthorizedindividuals. This aspect is therefore only considered in the moderate-low password complexitycategory;• Integrity: in this aspect the property of safeguarding the accuracy <strong>and</strong> completeness of assets isimportant. Passwords in the ‘high’ password complexity categories lead to “work arounds”increasing the risk of being obtained by unauthorized individuals. This aspect is only considered inthe moderate-low <strong>and</strong> moderate-high password complexity categories;• Availability: in this aspect the property of being accessible <strong>and</strong> usable upon dem<strong>and</strong> by anauthorized user, in this case the system is important. Passwords in the ‘high’ password complexitycategories lead to “work arounds” increasing the risk of being obtained by unauthorized individualswho can manipulate or remove data (= information) in the system, making the data unavailable.This aspect is therefore only considered in the moderate-low <strong>and</strong> moderate-high passwordcomplexity categories.As discussed in this paragraph, the goal is to get access to the system by means of password security. Wehave seen that users need to cope with complicated <strong>and</strong>/or complex passwords for different systems.Enforcing users to change their password periodically through the system makes it even more difficult forusers to remember their password. Passwords for systems that are not being used frequently are even moredifficult to remember. Users therefore behave in ways forbidden by security policies <strong>and</strong> ‘best practices’.We have also seen that there are ways to use both secure <strong>and</strong> usable passwords, but this is often notsupported by the system. Furthermore we think that the more complex <strong>and</strong> difficult to rememberpasswords are, the more ways users will find to make it more usable, thus decreasing the level of security.The table below illustrates the results of our classification based upon the analyses performed in thisparagraph:Aspects<strong>Usability</strong><strong>Security</strong>Effectiveness Efficiency Satisfaction Level Confidentiality Integrity Availability LevelPassword complexity categoriesHigh X Low LowModerate-High X X Moderate X X ModerateModerate-Low X X X High X X X HighLow X X X High LowTable 2: Password levels3.3.2 Challenge questionsChallenge questions are amongst others used as an automated means of password or credential recovery.This can be performed by a help-desk call or performed automatically through confirmation of a user’sresponse to previously stored questions <strong>and</strong> answers. During recovery, the user is challenged with aquestion <strong>and</strong> therefore required to provide the correct answer. Challenge questions offer the same potential12
for abuse in case the system is not usable (e.g. writing down the password). And if not usable, then usersmay also be unwilling or unable to automatically recover, thereby triggering more expensive, manualrecovery. Thus, the security <strong>and</strong> usability of the system is a major concern. A poorly designed challengequestion system can dramatically weaken the security of an otherwise strong password system 26 . Withregards to the types of questions we are able to make a distinction between three types 27 :• Fixed: system provides a list of administrator-chosen questions to a user, where the user’s choice ofquestion can only be taken “as-is” from this list;• Open: a user has complete choice <strong>and</strong> control over the question; the question construction may beprovided to the user but the user enters the question in free-form text;• Controlled: it permits a shorter list of general questions to be constructed by the system manager.This inherently provides some guidance for the user (relative to an open question) <strong>and</strong> allowsfurther personal customization.According to Mike Just there are some issues related to the types of questions <strong>and</strong> answers 27 :Types of Questions• <strong>Security</strong>: With a fixed question, users are prevented from poor question selection, e.g. “Whatcolor is my car?” This is a poor question since the resulting answer space is insecure, resulting fromlow entropy. Therefore a security advantage is provided since the likelihood of choosing a“bad question” is reduced. With an open question, users might select a question that is “bad”,though capable users are able to select more secure questions. Controlled questions offer a balancedalternative helpful for question design in case an exhaustive list of suitable fixed questionscannot be constructed. However, controlled questions also share the weaknesses of openquestions as the question or hint entered by the user can be insecure;• <strong>Usability</strong>: With fixed questions, users are not required to construct their own questions atregistration. This offers both an advantage <strong>and</strong> disadvantage depending on the ability <strong>and</strong> desire of auser to choose their own questions. An open question would offer similar disadvantages <strong>and</strong>advantages. As discussed above for the security issues, a controlled question allows someguidance to be provided for the user, in the form of a general yet partially focusedquestion, while allowing some flexibility via customization. Repeatability <strong>and</strong> memorability ofthe hint are not a concern since the hint is shown to the user upon answer presentation.Types of answersA fixed answer set involves user selection of an answer from a preset list of answers. The other extreme isan open answer, which involves a user manually entering his response. Guidance may be provided as partof answer registration, but the answer is entered in free-form by the user. A subtle variation is a controlledanswer, where the answer space is neither fixed nor open 26 :• <strong>Security</strong>: With a fixed answer set, users are prevented from selecting insecure answers. With openanswers, larger variation in the answer space is provided, though for certain questions, a userwould be able to select highly probable answers. There does not seem to be any significantsecurity advantages offered by using a controlled answer other than supporting a large answerspace.• <strong>Usability</strong>: With a fixed answer list, memorability <strong>and</strong> repeatability may be hampered if there isno unique answer to satisfy a user’s preference. With an open answer list, memorability <strong>and</strong>repeatability may be better than fixed, though also problematic if the registered answer is13