“Ten strikes and you're out”: Increasing the number of login attempts can improve password usability

Many users today are struggling to manage an increasing number of passwords. As a consequence, many organizations face an increasing demand on an expensive resource – the system administrators or help desks. This paper suggests that re-considering the “3- strikes” policy commonly applied to password login systems would be an immediate way of reducing this demand. We analyzed 10 weeks worth of system logs from a sample of 386 users, whose login attempts were not restricted in the usual manner. During that period, only 10% of login attempts failed. We predict that requests for password reminders could be reduced by up to 44% by increasing the number of strikes from 3 to ten

The Encyclopedist Code: Ancien Droit Legal Encyclopedias and Their Verbatim Influence on the Louisiana Digest of 1808

This Article identifies nearly one hundred articles and provisions in Louisiana’s first civil code, the Digest of 1808, which were copied verbatim or almost verbatim (that is, literally or almost literally) from three French legal encyclopedias popular during the Ancien Régime: Lerasle’s Encyclopédie méthodique: Jurisprudence (8 vols., 1782–89), Jean-Baptiste Denisart’s Collection de décisions nouvelles (1st ed., 6 vols., 1754–56), and Joseph-Nicolas Guyot’s Répertoire de jurisprudence (2d ed., 17 vols., 1784–85). As the Appendix indicates, verbatim and almost verbatim extracts from Lerasle, Denisart, and Guyot constitute approximately five per cent of the Digest’s source material. This Article therefore serves as a supplement (and partial corrective) to Rodolfo Batiza’s 1971 and 1974 studies of the Digest’s “actual sources”. The present study argues that the Digest’s primary redactor, Louis Moreau Lislet, borrowed language from French legal encyclopedia entries largely for pedagogical purposes, including introducing into Louisiana’s new civil code civilian definitions and other material that would be useful for lawyers and judges trained in the common law. As a result, Louisiana’s first civil code possesses a didactic quality that is absent from its Napoleonic prototype. Equally important, this study suggests that earlier scholars’ assumptions that the Digest’s source material reflects Louisiana’s mixed Spanish-French legal history should be revisited: while discovery of a significant presence of French legal encyclopedic sources certainly reveals the drafter’s preference for, and familiarity with, ancien droit legal literature, it further undermines previous assumptions about the widespread indirect influence of Roman and Spanish-Castilian sources

Early 20th Century Perceptions of Civil Law-Common Law Difference: F.L. Joannini’s Spanish-English Civil Code Translations in Context

The proper method for translating Spanish and Portuguese civil law concepts into English was a topic of debate among civil law scholars and comparatists at the turn of the last century. This article examines the translation approaches of three Americans (Clifford Walton, F.L. Joannini, and Joseph Wheless) who independently translated the Spanish, Colombian, Argentine, and Brazilian Civil Codes during the period 1899-1920. Specifically, Walton’s (1899) Spanish Civil Code translation’s use of common law English is con-trasted with Joannini’s Colombian (1905) and Argentine (1917) Civil Codes translations’ preference for a “civilian” legal lexicon, including substantial borrowing from the special civil law English vocabulary of the Louisiana Civil Code. Joannini’s as well as Wheless’s use of civilian terminology re-ceived mixed reviews in law journals. Disagreement among com-paratists about the translators’ methods is explored below and placed within the context of contemporary English-speaking schol-arly paradigms of civil law-common law difference, including atti-tudes to civilian terminology. The article concludes with observa-tions about the role of intellectual history and political crosscur-rents—especially the creation of new mixed legal systems during the 19th and early 20th centuries—in shaping English and American attitudes to the civil law tradition in general and to legal translation in particular

Validating Design Knowledge in the Home: A Successful Case-study Of Dementia Care

This paper reports research, which aims to validate design knowledge, as the products of a structured analysis and design method (MUSE – Lim and Long, 1994). The products or ‘containers’ of the method (MUSE(C)) are used in the re-design of a range of domestic technologies, intended to support dementia care in the home. The case-study is judged a success. An evaluation showed the technologies to be more effective following re-design. The design products were shown to be correctly operationalised. Problems in their application are documented. MUSE(C) can, thus, only be considered to have been partially validated. The solution of these problems constitutes a requirement for future research

Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security

The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the 'weakest link in the security chain'. We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing human/computer interaction knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security

Investigating loan applicants' perceptions of alternative data items and the effect of incentives on disclosure

Lenders use information about loan applicants to predict whether a person is a good or bad credit risk; however borrowers express reservations about disclosing their personal information. In this paper we describe the design of a study in which we try to identify which data items have bigger privacy costs for individuals and whether it is possible to adjust lenders' data collection procedures in order to improve the privacy of the borrowers while maintaining or improving the accuracy of risk assessment methods. We aim to explore whether consumers could be equitably encouraged to give different information than they do presently, by offering incentives for disclosures. These incentives are: an uncertain long term financial gain; a certain short term financial gain. We also explore an inequitable manipulation using peer pressure. The advantages and disadvantages of this methodological approach are also discussed

Adding insult to injury: consumer experiences of being denied credit

To inspire confidence in consumer credit and improve outcomes for consumers, negative experiences such as being denied credit must be handled appropriately. We conducted an online survey with 298 UK citizens who had a credit application denied to gain a better understanding of their experience of being denied credit. We found that privacy issues make this experience more upsetting for consumers than necessary. When being denied credit, respondents are most concerned about (1) being denied credit ‘in public’; and (2) not being informed about the reasons why they are denied. Only 23% of our respondents knew why they had been denied; 116 (62%) believed they had been denied credit because of their credit record, but 28% had never checked it. Out of the 194 respondents who had checked their record, 38 identified errors in their credit reports, and in 14 of these cases (38%) debts that they had paid off were incorrectly listed as outstanding. Based on our findings, we propose several changes to the credit application process: (1) providing sensitive but helpful information in a private manner, e.g. a preview of their credit score before they commit a loan application; (2) credit denial notifications with information on what to do next; and (3) giving applicants more information about checking their credit report and who to contact for correcting errors

Too close for comfort: A study of the effectiveness and acceptability of rich-media personalized advertising

Online display advertising is predicted to make $29.53 billion this year. Advertisers believe targeted and personalized ads to be more effective, but many users are concerned about their privacy. We conducted a study where 30 participants completed a simulated holiday booking task; each page showing ads with different degrees of personalization. Participants fixated twice as long when ads contained their photo. Participants reported being more likely to notice ads with their photo, holiday destination, and name, but also increasing levels of discomfort with increasing personalization. We conclude that greater personalization in ad content may achieve higher levels of attention, but that the most personalized ads are also the least acceptable. The noticeability benefit in using someone‟s photo to make them look at an ad may be offset by the privacy cost. As more personal data becomes available to advertisers, it becomes important that these trade-offs are considered

Would You Sell Your Mother's Data? Personal Data Disclosure in a Simulated Credit Card Application.

To assess the risk of a loan applicant defaulting, lenders feed applicants‟ data into credit scoring algorithms. They are always looking to improve the effectiveness of their predictions, which means improving the algorithms and/or collecting different data. Research on financial behavior found that elements of a person‟s family history and social ties can be good predictors of financial responsibility and control. Our study investigated how loan applicants applying for a credit card would respond to questions such as “Did any of your loved ones die while you were growing up?” 48 participants were asked to complete a new type of credit card application form containing such requests as part of a “Consumer Acceptance Test” of a credit card with lower interest rates, but only available to “financially responsible customers.” This was a double-blind study – the experimenters processing participants were told exactly the same. We found that: (1) more sensitive items are disclosed less often - e.g. friends‟ names and contact had only a 69% answer rate; (2) privacy fundamentalists are 5.6 times less likely to disclose data; and (3) providing a justification for a question has no effect on its answer rate. Discrepancies between acceptability and disclosure were observed – e.g. 43% provided names and contact of friends, having said they found the question unacceptable. We conclude that collecting data items not traditionally seen as relevant could be made acceptable if lenders can credibly establish relevance, and assure applicants they will be assessed fairly. More research needs to be done on how to best communicate these qualities

Federated identity to access e-government services - are citizens ready for this?

Both the US & UK government have decided that citizens will to authenticate to government using Federated Identity (FedID) solutions: governments do not want to be Identity providers (IdPs), but leverage accounts that citizens have with other service providers instead. We investigated how citizens react to their first encounter FedID authentication in this context. We performed 2 studies using low fidelity prototypes with: in study 1, 44 citizen participants, & in study 2, 22 small business owners, employees & agents. We recorded their reactions during their user journey authenticating with 3rd party providers they already had accounts with. In study 1, 50% of participants said they would not continue to use the system on reaching the hub page, & 45% believed they were being asked to make a payment. 25% of those continuing said they would stop when they reached the consent page, where they were asked by their IdP to authorise the release of their identifying information to the government service. 34% of the participants felt threatened rather than reassured by the privacy protection statement. With study 2's improved prototype, only 14% of participants said they would not continue on reaching the hub page, & 6% abandoned at the consent page. Our results show that usability & acceptance of FedID can be greatly improved by the application of standard HCI techniques, but trust in the ID Provider is essential. We finally report results from a survey of which ID providers UK citizens would trust, & found significant differences between age groups. © 2013 ACM