Monday, October 12, 2009

Password Authentication – Human Capability vs. Security?

I first faced the challenge of balancing human capabilities with security requirements during a work project last year and have been interested in the topic ever since. A portion of the project was to design a login experience for users who would have to create new passwords meeting strict requirements, select security questions/answers and still protect the system from hackers or bots. This included a backup authentication process to verify the identity of users who have forgotten their username or password.

Our password requirements were an example of where security and human capability collided. The process of trying to come up with a password that had eight characters, one number, one capital letter, one symbol, no repeated character strings, no repetition of past 3 passwords yet also be “easy” to remember was expecting a lot of our customers. My team was able to mitigate some frustration and calls to the help desk by displaying the requirements and implementing dynamic visual feedback when each requirement was met. Still, the process was frustrating for customers who have many other passwords to account for in their lives.

Deborah S. Carstens, in Human and Social Aspects of Password Authentication, recognizes the need for reliable security practices by people and organizations. The level of security threats to computers and networks has increased along with our increased dependence on them in almost all aspects of our lives. Many companies and individuals rely on password authentication to verify the identity and access rights of users. Security practices may be necessary but are often complex and unrealistic because they don’t take into account human capabilities or cognitive theory principles. Carstens notes that it doesn’t have to be that way. “User memory overload can be minimized when all aspects of a password authentication system have been designed in a way that capitalizes on the way the human mind works and recognizes its limitations”.

Although there are other security techniques being implemented today such as biometric authentication, Carstens explains that research on passwords is still relevant. Most people are still entering passwords even if biometric scanners are available. And we all have multiple passwords to remember for many different systems – usually several at work, school, and personal use. Given that human memory is limited, there is a risk of information overload and there’s often a tradeoff between creating passwords that are “easy to remember” and ones that are truly secure.

When password requirements exceed human memory limitations, people are more likely to engage in practices that threaten security, such as creating easy-to-guess passwords or writing passwords down on paper and keeping that paper in an unprotected location.

In her research, she recommended several guidelines to create passwords that are both secure and do not exceed human capabilities. In addition, Carstens explained, users should be offered training on how to create passwords that are both secure and meaningful, which will aid in retention.

  • Passwords must be a combination of symbols, numbers, and letters

  • Passwords cannot use the same character more than twice

  • Passwords must not spell out words that are found in a dictionary or use a proper noun such as a name of a person, pet, place, or thing

  • Passwords cannot contain information easily accessible to the public such as a social security number, street address, family members’ birthdays, and wedding anniversary dates

  • Passwords contain two to four chunks of data and are comprised of 10 to 22 characters in length, which will be dependent on the character length capabilities of any given system

Her last guideline was interesting to me and she explains it more thoroughly in her article. Essentially, she recommends that people use “chunking” along with strings of letters and numbers that represent a meaningful concept. This builds on a lot of past research, from Miller (1956) to Wickens (1992) to Proctor (2002) and her own research in 2006, with many others in between.

In practice, you would select for yourself a core “chunk” that you could include in all your passwords. This would be followed by a second chunk that would have meaning to you in relation to the application/system you need to access.

Using her examples, let’s say you start out with “Mb#=43” which translates to “my basketball number equals 43” and the second chunk would be “fiem” which translates to “Florida industrial engineering major”. These two chunks would be combined to serve as your password for accessing a university portal, “Mb#=43fiem”.

To access your social network accounts, you might select a second chunk like “GMHSV”, which translates to “go Madison High School Vikings”. You would add this to your “core chunk” which result in “Mb#=43GMHSV”.

This seemed overly cumbersome at first, but what is intriguing is that it attempts to find a meeting point between the need for secure authentication without exceeding human capabilities. She also references research that supports offering guidance to users on how to create those meaningful yet secure passwords.

I think back to my project and realize that although we provided dynamic feedback on how well a user’s chosen password met security requirements, we did not offer guidance on how to come up with a password that not only meets the requirements but can also be remembered. For me, it’s definitely worth further consideration and further review of related research.

Carstens, D. (2009). Human and Social Aspects of Password Authentication. In M. Gupta & R. Sharman (eds.), Social and Human Elements of Information Security: Emerging Trends and Countermeasures, (pp. 1-14).

No comments: