Research from Dartmouth College Computer Science regarding users and security:
In real world domains, from healthcare to power to finance, we deploy computer systems intended to streamline and improve the activities of human agents in the corresponding non-cyber worlds. However, talking to actual users (instead of just computer security experts) reveals endemic circumvention of the computer-embedded rules. Good-intentioned users, trying to get their jobs done, systematically work around security and other controls embedded in their IT systems.
Source: Mismorphism: a Semiotic Model of Computer Security Circumvention by Sean W. Smith, Ross Koppel, Jim Blythe, Vijay Kothari
The National Institute of Standards and Technology (NIST) issued an update to its password guidelines in June 2017 titled Digital Identity Guidelines (SP 800-63-3). Many of the guidelines that previously existed in the industry as best practice with credentials have been replaced with simpler, more user-friendly approaches.
Examples of new guidelines in the Digital Identity Guidelines (SP 800-63-3):
- Length of passwords between 8 – 64 characters are recommended.
- Character types of nonstandard characters, such as emoticons, are allowed when possible.
- Long passphrases are encouraged and should not match entries in the prohibited password dictionary
- Password reset frequency should be primarily triggered on if the password is compromised or forgotten
- Multifactor Authentication is encouraged in all but the least sensitive applications
Related Links and Additional Reading:
The Chromensics tool is developed to read all information from chrome browser directory and present it to user, in easy readable tabular format which can be explored in descent interface without running the chrome browser. The tool will also allow you retrieve information from other chrome installation brought from different machine for analyzing. The acquired artifacts can be exported in PDF report to present it in court of law or to superiors.
An interesting approach to a Man-in-the-Middle Attack against a Password Reset System
The PRMitM attack exploits the similarity of the registration and password reset processes to launch a man in the middle (MitM) attack at the application level. The attacker initiates a password reset process with a website and forwards every challenge to the victim who either wishes to register in the attacking site or to access a particular resource on it.
Source: The Password Reset MitM Attack