Humans Can’t Do Passwords: 3 Tips to Help FIs and Homo Sapiens

 Author: Lee Wetherington, LWetherington@profitstars.com

235. That’s how many passwords I have.

Correction. That’s how many different online accounts I have. I refuse to admit how many (or how few) passwords I have across my online accounts. And that brings us to today’s parting thought for 2014…

Humans can’t do passwords.

We just can’t. How many more breaches, SSL vulnerabilities, and nude celebrities do we need to see for this to sink in?

Humans can’t do passwords, at least not the right way. We’re supposed to make them strong by making them as long, unique, and unintelligible as cartoon cursing. But even if we make our passwords strong, it doesn’t matter, because we can’t remember them afterward when we do.

So we do what humans do. We use one (or just a few) passwords for scores of online accounts. Half of consumers admit to recycling the same passwords. The other half are liars: they recycle passwords too. Yes, I’m looking at you.

It gets worse. According to Javelin, the more online accounts we have, the fewer passwords we employ to protect them. People with up to 20 online accounts typically have one unique password for every two online accounts. People with more than 20 online accounts average one unique password for every three accounts.

So pervasive and worrisome is this phenomenon that the Faster Identity Online Alliance (FIDO), an organization of 150 payments and technology businesses, recently gathered to publish specifications for a Universal Authentication Framework—with the ultimate aim of wiping out passwords altogether.

In the interim, however, our problem is two-fold: not only do we have weak passwords, we only have a few of them guarding our most private assets online.  Not good.

For financial institutions, the human password problem is prickly. First, passwords stolen at other sites can often be reused to access financial sites. Second, fraudsters are now circumventing the strong password policies of some financial sites by targeting email sites instead. From there, the fraudster resets financial-site passwords and uses social media sites to glean enough privately identifiable information to pass knowledge-based authentication challenges.

If you make your password policies too tough and unrealistic, you frustrate end users and practically encourage fewer unique passwords. If you don’t enforce strong-password policies, you leave systems and data more exposed. So, what to do?

1. Get real. Acknowledge the limitations of Homo sapiens and educate accountholders not only about strong passwords but about easy management and secure storage of those passwords too. Programs like DashLane and LastPass can not only automate the creation and storage of strong passwords but the regular changing of passwords as well. Also, be sure to promote the use of password ciphers, i.e., memorable formulas for creating unique passwords for each site respectively.
2. Blacklist the dictionary. New breeds of password-cracking software make longer passwords less secure than they once were, especially if those passwords contain common words. Expand your password blacklist to bar the use of words found in the dictionary.
3. Consider the future of behavioral authentication. While passwords aren’t going away any time soon, monitor the evolution of behavioral solutions. Instead of authenticating using passwords or even physical attributes (biometrics), companies like BehavioSec are verifying identities by passively observing how accountholders interact with their devices.

For more information and suggestions on balancing security and usability vis-à-vis your password policies, see Javelin Strategy and Research’s excellent report, “In Search of a Better Password Policy.”

Happy New Year!