Skip to main content

Passwords for Cybersecurity: How good is your memory?

Updating best practices for managing cyber risks.



I sure hope that the engineers and design managers who design the security protocols for the various systems that I use pay attention to the work of the National Institute of Standards and Technology (NIST)’s Trusted Identities Group.  Specifically, I pray that they will heed the recommendations in June 2017 release of new Digital Identity Guidelines, Authentication and Lifecycle Management (NIST Special Publication 800-63B), section 10.2.1 Memorized Secrets.  “Memorized secrets” are “commonly referred to as a password or PIN.”  By following these recommendations, software security folks stand to make my digital life easier and, apparently, more secure. 

Complexity does not solve all problems.  Usability matters.
For many years I worked for an organization that rigorously enforces computer security:  regular change of complex passwords, shut down desktop and laptop computers every night, no using other’s computers or IDs, regular security training, firewalls, screening software, plus an unknowable number of behind-the-scenes processes.  Absolutely no writing down of passwords.  I ultimately developed a partially-random scheme to remember the ever-changing passwords, although things got easier when various systems were “knit” together so as to need fewer independent log-ins. 

Then one day, we were given encrypted USB (aka “thumb” or “memory”) drives.  These small, secure storage devices made traveling with emergency contact lists and outside presentations easier.  The one drawback was that while permitting 10 or 12 attempts with the password, the cost of failure was absolute:  there were no backdoors, no hints.  Too many mis-entered passwords led to self destruction.  The only recourse was to request a new encrypted thumb drive.  I went through three or four of these drives before deciding to use other approaches.  The “memory” stick appellation became particularly ironic.  Relying on memory for something used infrequently was clearly problematic.

I seem able to retain about a half dozen frequently used passwords or PIN codes, but memory gets inconsistent after that:  Was the first or second character upper case?  Maybe both?  Was the number in the middle of the password string or at the end?  Or both?  Did the password include an ampersand (&), a carrot (^), or an equal sign (=)?  Or does this vendor prohibit non-alphanumeric characters?  And, if I can’t see my data input—to mask it from those looking over my shoulder (in my living room or office?)—I’m good for 4 or 5 characters.  But if the password looks like this “Wh4tT#3h3Ck” you can bet with confidence that I’m going to fat finger it and eventually be locked out.

Yes, secure online access to bank accounts, medical records, email, employer websites, and retailers accounts is convenient.  That is, until you get locked out or frustrated.  Does a small notebook at home listing IDs and passwords strengthen or weaken security?  Compare that risk with recording personally identifiable information (“PII”) such as social security numbers, drivers’ license numbers, mothers’ birth names, graduation years, birthdays, and first pets’ names on potentially hackable databases. 

This is where NIST’s new guidelines can help.  The “Usability Considerations” of section 10 recommend plain language instructions, options for alternative authentication, displayed rather than masked text during password or PIN entry, and simple composition rules (versus forced, mixed characters).  They recommend permitting many more characters so that longer but memorable passphrases can be entered.  The new guidelines also proposes that PINS and passwords not be changed at “arbitrary” fixed intervals—such as monthly or quarterly—but rather, in response to specific threats. 

The Wall Street Journal (August 8, 2017) quotes Paul Grassi, the NIST standards-and-technology advisor who led development of the new guidelines, as saying that the prior recommendations (now deeply imbedded in our digital lives) “actually had a negative impact on usability.”  The article also cites research suggesting that longer, more memorizable passwords may be significantly harder to break than shorter phrases filled with g0Bbled1go0k.  That’s “gobbledygook” translated into passcode.

Changing computer software has to be done carefully.  Changes to security, including authentication protocols, especially so.  NIST’s revised approach is new and so it will take some time—likely several years—for them to ripple through and be applied in the general marketplace.  But I sure hope that the security designers are listening.  The promise of making our digital lives easier and our data more secure has to be irresistible. 

Michele Braun, Director of the Institute for Managing Risk

Stay up to date.  Join the Institute for Managing Risk, the Women’s Leadership Institute, and our panel of experts on November 9 to discuss Cybersecurity: Readiness, Response, Recovery: Protecting Your Company’s Assets and Reputation.  More information and to register see  here.

Comments

Post a Comment

Popular posts from this blog

The Marketing Success of Mailchimp

Today in the October 5th New York Times there was a wonderful article published about the success of a small business called MailChimp and how they accomplished this while taking the road less traveled. According to the article there are two ways to create a business.  The first is the typical way a business gets started; a young entrepreneur comes up with an innovative idea, next is the creation of a prototype along with participating in a start-up boot camp. This then leads to small investors hopping on board; which leads to the creation of a Kickstarter. If everything works out and the product is successful it’s time for the founders to enter the haphazard mode called expansion. This usually translates to selling off the company piece by piece for huge chunks of money from venture capitalists. Then, once a few years have passed, if all goes well, the founders hit it big time and then BANG their set.  The second and less well known option is just ...
2 comments
Read more

The End Of A Manhattanville Legend

A piece of Manhattanville College died when sister Ruth Dowd passed on Friday, May 31, 2019, four months after her 100 th birthday. People will look at those dates will say “she had a good run,” or “she had a good life.” And while that is true, the fact is those who really knew her know there is much more to her story! Obituaries tell us about a person’s life; where they are from, went to school, worked, their family etc. They are benign by nature…   Let me tell you my thoughts about the PERSON, and bear in mind, I met her when she hired me 13 years ago…when she was merely 87! Ruth is one of my favorite names. Aside from being the eighth book in the Bible, and only one of two named after women in the Old & New Testaments,  it was my Grandmother’s (mother’s side) name. You want to talk about special people???? Sister Ruth Dowd hired me in 2006 to run the sport business management program at Manhattanville College. I took the interviews, but I really was kind...
1 comment
Read more

Happy Holidays Newsletter from SPS - Make 2021 Count!

"An investment in knowledge pays the best interest" - Benjamin Frankli n Congratulations to all of our students who completed another semester. You made the best of a difficult situation by sticking with your goals and working on your education. Some of you added a few more credits to your program, some of you completed your final project and some of you completed your final classes and are graduating! I applaud you all! I invite you to read this newsletter highlighting our fall accomplishments, student achievements, and upcoming events. In SPS we have been working hard to stay connected and expand our network with engaging virtual programs. Hopefully, you have experienced this effort, if not please consider joining us for a class or our next Power Lunch series.  I hope you stay strong and healthy during these trying times. We need to continue to be vigilant for ourselves and our families. Try to find some good in each day and help others find the same. Keep in touch and e...
1 comment
Read more