Wednesday, September 5, 2007

Humanity versus Security - Part 1: Passwords

This is the first installments in a multi-part string of articles discussing how security affects the ‘human’ aspect of computing. Security is a very important issue in computing in this day and age. This is especially true on systems in which personal data about customers will be stored or handled.

As such, we try hard to increase the security of our systems, making it more difficult for hackers or other unsavory people from acquiring information they don't have a right to read. Sometimes however, making systems more secure and less simple for users makes systems less secure in the long run.

Password Complexity

One of the primary methods of securing systems is by using passwords. In a typical work day, I use four different passwords; however I have at least fifteen login/password keys associated with work. This of course isn't taking into consideration all of the personal login/passwords I have (personal e-mail, MMO logins, websites, forums, etc).

Many systems have different password requirements, such as: all lowercase, all uppercase, mixed case required, no digits allowed, digits required, must be under 8 characters, must be over 9 characters, and many other weird requirements. Some of them track the last few passwords you used and don't allow you to reuse them. Some systems are even so complicated that they require multiple passwords to get to successively deeper parts of the system, and the passwords are not allowed to be the same (there are even rumors of some systems that use heuristics ensure they aren't similar).

We are told that it is wise not to reuse your passwords too much, if one password is compromised, then all of them are. For example, if you used the same password for your online banking as a forum, and the forum is compromised, now your bank account is at risk.

Of course, forgetting a password makes the user feel stupid. Some systems are quite nasty if you forget your password. Some IT help desks are polite and understanding, but those are a rare thing.

The Problem

The problem with this entire password idea is that humans simply can't remember 15 passwords. So what do users do? They write them down. We carry around little black books filled with passwords, have post-it notes all over our cubicles, and text files on our desktops. If any of these are compromised, then all of the systems we are associated with are compromised, and the entire security breach is blamed on the human’s inability to manage passwords properly.

Well, that's simply not fair. Humans can’t be expected to remember that many passwords. By requiring complex passwords for absolutely everything, we in truth are reducing the security of these systems because we force the users to write their passwords down.

This problem has four distinct parts. The first part of the problem is the blame game. We blame the programmers, the IT, and the software if there is a security breach. This is what forces the programmers to come up with convoluted systems to shift the blame onto the users.

The second part of the problem is the policy creators. Legislators, compliance officers, and managers demand systems to be secure. They demand these things without realizing what goes into actually making a system secure.

The third part of the problem is the programmers and IT themselves. They are required to make a system secure, and do so without consideration of the humans that are using the system.

The fourth part is the users themselves. They refuse to learn to manage their passwords appropriately and securely.

The Solution

There is no one single solution to the problem of password complexity; if there was, every system would use it. However, communication between all involved parties will allow a solution to form that is beneficial to the system, without being a problem for the users. We need to realize that making the password systems more complex in truth make our systems less secure.

First off, we need to stop pointing fingers about who's fault it is, and instead try and figure out how to make systems secure without making it difficult for the humans that need to use it.

This would help reduce the making of pointless rules about security, and instead hunt for solutions. We need to trust our users a little bit more and give them a little bit of slack. It would also be helpful to explore new technologies such RFID tags and biometric scanners.

There are also devices that can store our passwords for us and use fingerprints or a password to unlock. These devices should be encouraged instead of discouraged. They enable users to write down their passwords but still keep them secure, and allow a user to only need to remember one. However, it should be researched which

Most importantly though, everyone involved needs to realize it’s a problem. If fingers continue to be pointed and blame shifted, no one will want to take responsibility and try and repair the situation for fear of being reprimanded when the system breaks. Users and policy makers need to educate themselves about security. First and foremost the programmers and IT need to help educate everyone, and study methods to increase security without removing the human feel.

No comments: