The quest for good passwords
Passwords are easily the most talked about infosec control. Perhaps the simplest concept the explain and surprisingly hard to implement well. Allow a user to keep any password, without restriction, and she will keep her username as the password. Add complexity requirements and she will write it down.
Infosec professionals take every possible measure to get users to keep their passwords confidential. They provide guidelines on creating good complex passwords. They use analogies - ‘ A password is just like a key! Would you share the key to your house?’. They enforce password rules by building them into the systems. Try as you might, it seems that people and passwords seem to have a healthy dislike for each other.
The reason password controls are so difficult to implement is because passwords involve that part of the human brain that is difficult to grasp - memory. Scientists are still trying to figure out how we remember things. Memory is created by experiences. Experiences are felt by our senses. Whenever we have similar sensory experiences, the relevant memories are triggered. So, our memory of something is a combination of the sight, sound, smell, taste and feel of that thing - all put together. Memory works in mysterious ways. A faint whiff of a perfume, for instance, takes you down memory lane, but you cannot remember what you had for breakfast last week.
Passwords, especially complex ones, make use of only one sense to create a memory - sight. Well, not exactly, but close enough. Remembering things on the basis of just one sensory perception is no doubt difficult. It requires a person to pay attention while creating the password and make sure it is a part of his sort term memory. Our requirements of numbers, special characters and other such nick-nacks make a difficult task near impossible. One solution is to create a password with pronounceable characters. For example - ‘geo-t@b-1968’ is far more memorable than ‘gt96o-@e1-8b’, even while using the same characters. The main reason is that it is pronounceable. Your password is “Geo hyphen tab hyphen nineteen sixtyeight with the ‘a’ replaced by at the rate’. No longer a gooey mess of numbers and special characters. It does not make any difference to the security of the password. Every user should receive a training on how to create a good - pronounceable - password and not just the complexity requirements. You will see that the number of post-its with passwords will reduce significantly. Here is a site where you can make a good password.
Memory is of two types - short term and long term. Everything is short term memory at first. The more you use it, the more your synapses set into a pattern making it permanent memory that you can remember for a long time. Add to that something called muscle memory. Do this simple exercise. Close your eyes. Try to remember where the alphabet ‘v’ is on your keyboard. Most of you would find it difficult. Now open your eyes. Open notepad and type - “Very cool. I like to be verbose.” Your fingers seem to know where the ‘v’ is. This is muscle memory. Once you have created a really good memorable password, you start using it and after a while, it builds into your muscle memory.
The current problem is that password policy forces us to change our passwords every month, or every three months making it near impossible for muscle memory to kick in. Research shows that a complex password of the right length will take hundreds of years to brute force ( a way to crack a password). Why, then, force users to change passwords every month? Infosec professionals - it is time to increase the password duration to one year!
So, to create good passwords - create prounceable, long, complex passwords and keep them for a year or two. It is the solution to all your password woes. Have lots of passwords to manage? Create one master password and let a password manager do the rest! Read about my post on password managers here:
Password Managers and why you need them
One last point on passwords before I sign off. Password retreival. Remember those questions you get asked when you click on ‘forgot password’? Research shows that it is a very bad way to do things. Read more of that here. I plan to write a detailed analysis of it soon.