Skip to main content

Passwords for Cybersecurity: How good is your memory?

Updating best practices for managing cyber risks.



I sure hope that the engineers and design managers who design the security protocols for the various systems that I use pay attention to the work of the National Institute of Standards and Technology (NIST)’s Trusted Identities Group.  Specifically, I pray that they will heed the recommendations in June 2017 release of new Digital Identity Guidelines, Authentication and Lifecycle Management (NIST Special Publication 800-63B), section 10.2.1 Memorized Secrets.  “Memorized secrets” are “commonly referred to as a password or PIN.”  By following these recommendations, software security folks stand to make my digital life easier and, apparently, more secure. 

Complexity does not solve all problems.  Usability matters.
For many years I worked for an organization that rigorously enforces computer security:  regular change of complex passwords, shut down desktop and laptop computers every night, no using other’s computers or IDs, regular security training, firewalls, screening software, plus an unknowable number of behind-the-scenes processes.  Absolutely no writing down of passwords.  I ultimately developed a partially-random scheme to remember the ever-changing passwords, although things got easier when various systems were “knit” together so as to need fewer independent log-ins. 

Then one day, we were given encrypted USB (aka “thumb” or “memory”) drives.  These small, secure storage devices made traveling with emergency contact lists and outside presentations easier.  The one drawback was that while permitting 10 or 12 attempts with the password, the cost of failure was absolute:  there were no backdoors, no hints.  Too many mis-entered passwords led to self destruction.  The only recourse was to request a new encrypted thumb drive.  I went through three or four of these drives before deciding to use other approaches.  The “memory” stick appellation became particularly ironic.  Relying on memory for something used infrequently was clearly problematic.

I seem able to retain about a half dozen frequently used passwords or PIN codes, but memory gets inconsistent after that:  Was the first or second character upper case?  Maybe both?  Was the number in the middle of the password string or at the end?  Or both?  Did the password include an ampersand (&), a carrot (^), or an equal sign (=)?  Or does this vendor prohibit non-alphanumeric characters?  And, if I can’t see my data input—to mask it from those looking over my shoulder (in my living room or office?)—I’m good for 4 or 5 characters.  But if the password looks like this “Wh4tT#3h3Ck” you can bet with confidence that I’m going to fat finger it and eventually be locked out.

Yes, secure online access to bank accounts, medical records, email, employer websites, and retailers accounts is convenient.  That is, until you get locked out or frustrated.  Does a small notebook at home listing IDs and passwords strengthen or weaken security?  Compare that risk with recording personally identifiable information (“PII”) such as social security numbers, drivers’ license numbers, mothers’ birth names, graduation years, birthdays, and first pets’ names on potentially hackable databases. 

This is where NIST’s new guidelines can help.  The “Usability Considerations” of section 10 recommend plain language instructions, options for alternative authentication, displayed rather than masked text during password or PIN entry, and simple composition rules (versus forced, mixed characters).  They recommend permitting many more characters so that longer but memorable passphrases can be entered.  The new guidelines also proposes that PINS and passwords not be changed at “arbitrary” fixed intervals—such as monthly or quarterly—but rather, in response to specific threats. 

The Wall Street Journal (August 8, 2017) quotes Paul Grassi, the NIST standards-and-technology advisor who led development of the new guidelines, as saying that the prior recommendations (now deeply imbedded in our digital lives) “actually had a negative impact on usability.”  The article also cites research suggesting that longer, more memorizable passwords may be significantly harder to break than shorter phrases filled with g0Bbled1go0k.  That’s “gobbledygook” translated into passcode.

Changing computer software has to be done carefully.  Changes to security, including authentication protocols, especially so.  NIST’s revised approach is new and so it will take some time—likely several years—for them to ripple through and be applied in the general marketplace.  But I sure hope that the security designers are listening.  The promise of making our digital lives easier and our data more secure has to be irresistible. 

Michele Braun, Director of the Institute for Managing Risk

Stay up to date.  Join the Institute for Managing Risk, the Women’s Leadership Institute, and our panel of experts on November 9 to discuss Cybersecurity: Readiness, Response, Recovery: Protecting Your Company’s Assets and Reputation.  More information and to register see  here.

Comments

Post a Comment

Popular posts from this blog

Happy Holidays Newsletter from SPS - Make 2021 Count!

"An investment in knowledge pays the best interest" - Benjamin Frankli n Congratulations to all of our students who completed another semester. You made the best of a difficult situation by sticking with your goals and working on your education. Some of you added a few more credits to your program, some of you completed your final project and some of you completed your final classes and are graduating! I applaud you all! I invite you to read this newsletter highlighting our fall accomplishments, student achievements, and upcoming events. In SPS we have been working hard to stay connected and expand our network with engaging virtual programs. Hopefully, you have experienced this effort, if not please consider joining us for a class or our next Power Lunch series.  I hope you stay strong and healthy during these trying times. We need to continue to be vigilant for ourselves and our families. Try to find some good in each day and help others find the same. Keep in touch and e
1 comment
Read more

SPS Prof Richard A. Montanaro: Covid-19 resume gaps will become commonplace, yet still need explaining

Richard A. Montanaro: Covid-19 resume gaps will become commonplace, yet still need explaining As posted on Westchester & Fairfield County Business Journals January 4, 2021 By School of Professional Studies Professor  Richard A. Montanaro B inge watching Netflix is not a valid explanation for gaps in your resume. While a prospective employer may understand, and even sympathize with an unexplained period of inactivity in your employment, you will need to put a positive spin on these gaps even given the pandemic. As an HR practitioner who has overseen the hiring process for over a thousand applicants during my career, I can say that it’s not uncommon for there to be employment gaps: periods without employment during a professional career. Given the pandemic, business downturn and related organizational downsizing, these gaps may be more prevalent now. Yet, regardless of the difficult times organizations and individuals are facing, gaps in employment and how to best represent them rema
Post a Comment
Read more

2020 Sports...It's a Wrap!

On the Eve of 2021 SPS Professor Dave Torromeo Posted on Latin Business Today. As we approach the end of 2020—one of the strangest years known to mankind—we once again turn our attention to the things that make us happy, the things that bring us joy in the face of sadness and despair: live sporting events. We know the leagues and TV broadcast partners are happy, or maybe relieved? While the world tries to return to normal, we can be grateful that sports, although different, have at least given us an outlet. That is what sports have always done—provided us with a release! That is why when people attend or tune into a sports event they do not want to be reminded of their problems, politics, or other incendiary touch point issues. The sports world continues to roll on, albeit with various of stops and starts due to COVID-19. Teams are affected or infected, and then games are postponed or canceled. However, let us focus on the positives as we have live sporting events almost every day and
Post a Comment
Read more