Too Many Secrets

September 13, 2010

Too Many Secrets

From a-la-peanut butter sandwiches and open sesame to this:

  • Must contain at least three of the following four items: lowercase letters (a-z), uppercase letters (A-Z), digits (0-9), and symbols (`!#$%^&*()_+-\{\}|:;’?,/)
  • Must be between 8 and 32 characters in length
  • May not begin with a letter

- chances are you’ve been keeping secrets your whole life.   By secrets, I mean those combination’s of words, phrases, numbers, and symbols that are woven into almost everything we do online:  passwords.

On any given day, I have to provide at least 10 different passwords to get into various networks and websites.  I type in some of those passwords about 10 to 15 times a day.  Daily passwords are pretty easy to remember.  I could type them in blind folded. The real challenge is remembering the passwords I don’t use on a daily basis.

I have a system that used to make it pretty easy for me to remember passwords.  But,  password requirements have become increasingly complex so my system has become more complex to keep up with those requirements.  Plus, my system has to change from site to site because different sites have different requirements. Whats more, some sites require that I change my password on a regular basis. Consequently, it’s no longer easy for me to remember all of my passwords.

I’m left with a few different options.

  1. I can stop using online sites that require passwords
  2. I can write them down
  3. I can store them in third party software on my phone or computer

Choice number 1 is not very practical.  Choice number 2 is tough because I don’t carry around a pad and paper, and I would just loose the pad and paper if I did decide to carry them around. So, I’m left with number 3.

Storing my passwords in third party software is definitely not an ideal solution.  It makes the device on which I store all my passwords extremely valuable.  If I loose the device or the device breaks, I’m in trouble.  If my passwords are stored on my phone, and I loose my phone, I’ll need to go through the process of changing all of my passwords.   The passwords I store on my computer or phone are only as safe as the device that I use to store them and the single password I use to access the device and my stored passwords.

Complexity <> Security

Rather than increasing the security of online banking, complex passwords make online banking sites less secure.  Password requirements have become so complex that you have to store them someplace other than your memory  – thus becoming less secure than a significantly less complex password.  Practical usability is sacrificed in the name of password security. Online Banking sites put a huge premium on password strength, but there are more pressing online security concerns that don’t really hinge on the strength of your password.

Don Norman, a professor at Northwestern University asserts:

“Although there is much emphasis on password security, most break-ins occur through other means. Thieves usually don’t break into systems using brute force. They phish, luring unsuspecting but helpful people to tell them their login name and password. Or they install sniffers on keyboards and record everything that was typed. A password’s strength is irrelevant if the thief already possesses it.”

Strict and complex rules  do make it harder to guess passwords. However, password guessing can be eliminated with simple rules like requiring that a password contains letters and numbers and freezing an account after too many invalid attempts.

The complexity of your password is not relevant if there is malicious software on your computer recording your keystrokes.  Your password could be 100 characters long, but key logging software would still record your password and send it along to thieves waiting to use it.

A recent article in the New York times stated the following:

“Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords,” says Cormac Herley, a principal researcher at Microsoft Research who specializes in security-related topics. He said antivirus software could detect and block many kinds of keyloggers, but “there’s no guarantee that it gets everything.”

Some of the most trafficked sites in the world have fairly simple password requirements.  Paypal only requires that you enter an 8 character password.  That’s it! You don’t have to mix letters and numbers, and you don’t have to include any special symbols – just make it 8 characters in length.  Clearly Paypal decided that usability is important and password strength is not all that important.

What to Do?

It’s clear that traditional online banking authentication methods, regardless of password complexity, are not the best way to secure access to your financial information.  Keyloggers, phishing, and password complexity itself, have made passwords fairly vulnerable.  Fortunately, there are some options that help secure online banking without unnecessarily sacrificing usability.

ING Direct only requires a 4 digit numeric password, but you don’t type it in with the number keys on your keyboard.  Rather, you use your mouse to click numbers on a virtual keypad. Using this method to collect your password significantly decreases the ability of Keyloggers to steal your password.

Other innovative solutions don’t ask for passwords at all. Rather than ask for a password, Confident Technologies ImageShield product asks you to remember categories and identify pictures associated with those categories.

Confident ImageShield

A new solution named Pass Window provides two way authentication utilizing an out of band token.

In this case, the out of band token is a card (possibly your debit card), with a small window on it.  Peering through the window allows the user to unscramble characters displayed on the screen.  The user then types the unscrambled code and is logged in .  The Pass Window is unique to each user so only the Pass Window for that specific account can unscramble the characters on the screen.

The user knows they have the correct site because their Pass Window correctly unscrambles the code. The financial institution can safely authenticate the user because they provided the unscrambled code.

Clearly online fraud is a problem.  The FBI reports that there was a 22% increase in reported online fraud last year. Still, increased online banking security does not have to result in reduced usability.  In some cases, reduced usability actually reduces online banking security (e.g. overly complex passwords).

As financial institutions struggle to keep ahead of online criminals, they need to remember to keep  a sensible balance between usability and security.  “Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds to defeat it. Hence the prevalence of doors propped open by bricks and wastebaskets; passwords pasted on the fronts of monitors or hidden under the keyboard or in the drawer; house keys under the door mat, above the door frame, or under fake rocks that can be purchased for this purpose.” – Don Norman, Interactions Magazine, When Security Gets in the Way


Tags: ,

blog comments powered by Disqus


  • 2011 (14)
  • 2010 (48)
  • 2009 (39)