On 3/27/06, Alen Peacock <alenlpeacock@gmail.com> wrote:
... The overarching theme of the book is that theoretically secure systems with usability problems end up being neither secure (because users subvert them) nor usable.
very true.
Some findings from Chap 7 include the fact that a significant number of users did not comply with instructions for password generation
it is my personal hunch that if users had just one password they needed to remember they could remember a good one. the janus stuff we are working on uses loop-aes volumes specifically so you can store passwords in a browser, store capability URL's, keep accounts and logins in a text file, etc. [i'd love to know of any studies to this end though. i have tried experiments to see just how much entropy i can commit to memory and it is more than enough for a good interactive authentication. i think this is within the ability of most, if they had a desire to do so and understood the benefit.] so the goal is to provide a usable system with a single password, and make it user centric, so that all the other credentials and secrets associated with other digital identies can benefit from this bootstrap (and presumably share this more secure bootstrap).