Insights into passwords: secrets and security

Forgot your password? In today’s world where we have to enter multiple passwords in a day, forgetting a password can be a common occurrence. The average amount of forgotten password emails sitting in an inbox is 37 according to Dashlane. The amount of accounts we use passwords for doubles every 5 years. Moreover, The Norwegian Centre for Information Security found that the average minimum amount of passwords per person is 17 in 2012. The number increases when you consider that on average we have another 8.5 work passwords.

It is worth considering many online statistics regarding passwords cite password management companies. With passwords needed for every new account we create and increasing amount of rules to make strong passwords, we now have apps and programs just to manage passwords! The downside is that password managers are protected by another password so passwords are truly an inescapable part of modern life. Even more disturbing, even password managers can be breached.

A closer look at passwords

What’s in a password? A password is a word we use to keep our information safe but often it is also a key to help us remember. The Secret Life of Passwords by Ian Urbina for the New York Times is a fascinating study of the stories behind passwords. He explores the idea of password as keepsakes — when humans use sentimental, nostalgic and personal triggers to create passwords like birthdays and names of pets. This often makes a password weaker, however it makes the password easier to remember.

Urbina also examines themes that passwords take such as love, noting the categories “familial, unrequited, platonic, failed”. The passwords we use can become personal reminders — memories that are brought to life every time we access a particular account. Urbina quotes computer scientist Joseph Bonneau, “People take a nonnatural requirement imposed on them, like memorizing a password… and make it a meaningful human experience”. As websites move to create more rules for stronger passwords, how might this affect the experience of passwords? Is this why we forget stronger passwords — because we find them harder to connect with?

Change it up

In some organisations, passwords need to be changed every 30 days. It has been a long held concept that the frequent changing of passwords increases the security of the account. Even recently in early 2016, the Federal Trade Commission tweeted the recommendation: “Encourage your loved ones to change passwords often, making them long, strong, and unique”.

Goodin’s article challenges the veracity of this advice, citing a 2010 study on The Security of Modern Password Expiration[1]. According to the study, the way frequent password change is meant to work is that it “narrows the window within which an account is usable to an attacker before he has to take additional steps to maintain access” (Alexander cited in Zhang, Monrose, Reiter). This assumes that the account in question is already compromised. Frequent password changes would not help a person if attackers are constantly trying to gain access.

Frequent password change should also narrow the opportunity to guess the password, which Chiasson and van Oorschot examine in their 2015 study on Quantifying the Security Advantage of Password Expiration Policies[2].

Nonetheless, Goodin notes “Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking”. An example of this increased susceptibility are the passwords of users who, when forced to change their password at regular intervals, just add or substitute a digit to make their password easier to remember. These patterns made the password more predictable and more susceptible to hacking programs.

The longer the better?

A recent article suggests that longer passwords between 16 and 64 characters long may be the key to eluding hacking programs. Frankel and Peterson explain that “To a computer, poetry or simple sentences can be just as hard to crack. Even better: People are less likely to forget them.” Though strong passwords are held as the ideal and best practice for security, Grassi notes in the article that users find them difficult to remember and thus write them down or reuse the same password which is counterintuitive.

By creating a passphrase, a user would be drawing on the strength of sentimentality and quirkiness of human nature. Frankel and Peterson conclude that “most experts say passwords of any kind are outdated.” People are turning to alternatives such as two-factor verification through mobile devices which many banks utilise for internet banking. Others such as HSBC and Facebook use security code generators along with a password to increase account security.

Password alternatives

There are now alternatives to the alphanumeric passwords as we know it. This includes:

  • two-factor verification (internet banking, social media)
  • picture passwords (Microsoft Windows)
  • lock screen pattern (mobile phones)
  • thumbprint reader (mobile, tablet and laptops)
  • virtual token (mobile app)
  • iris scanners and other biometrics.

With advances in technology, biometrics are increasingly being integrated into security measures. Unfortunately, even the fingerprint lock is by no means infallible as demonstrated on the Samsung Galaxy 5 in this article. Schlabs states, “Fingerprints can keep opportunistic snoops out, but do not protect well from targeted authentication fraud” as cited by Goodin. Others have long advocated to kill the password. But as our emails and work accounts protest, the password endures yet.

We may have to remember our passwords for now but we must not forget that it is only one way to keep ourselves safe. Perhaps as we open our minds to alternatives to passwords, we are learning to question the effectiveness of not only passwords but all security measures we have to protect our data, information and privacy.

Image source: Authenticity required: password? by Elias Bizannes is licensed by CC BY-SA 2.0.

References:

  1. Zhang, Y., Monrose, F., & Reiter, M. K. (2010, October). The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM conference on Computer and communications security (pp. 176–186). ACM.
  2. Chiasson, S., & Van Oorschot, P. C. (2015). Quantifying the security advantage of password expiration policies. Designs, Codes and Cryptography, 77(2–3), 401–408.

Originally published at RealKM.