By Tom Murray, Head of Product Strategy, Exaxe.
Ultimately, most of us cheat and end up with a slight variant on the previous one, which will only trip us up a few times in the first week of the password. And then on we go until we get the next change mandated upon us 90 days later.
The reason for this is that a seminal work from the 2003 NIST Special Publication 800-63. Appendix A,” became the bible of the IT security industry and every IT department promptly enforced the rules within it as a means of showing everyone that they were doing everything possible to secure data on the company’s systems. Thus, we were all reduced to having to come up with random passwords we struggle to remember, with bizarre capitalisations and substitutions of symbols for related letters such as “SiMb0lyc156” as an example.
Now the man behind the original document has recanted. In a piece in the Wall Street Journal, former National Institute of Standards and Technology manager Bill Burr has said that the whole approach was misguided. It turns out that the key factor is the number of bits of information that must be cracked in order to find out what the password is. The current approach is based on what looks like a hard word to remember is only difficult for humans. Computers see it as a collection of symbols and don’t need it to make any sense. Therefore, the shorter it is, the quicker the algorithm can run through the number of combinations in order to get to the answer. So, hacking in by outsiders using automated hacking algorithms is much easier for those short words that look difficult, than it is for longer words or phrases that make sense to the user but are much longer. In short, we have focused on using passwords that are hard for us to remember, because they don’t make much sense, but have forgotten that computers don’t work in the same way.
A cartoon drawn by Randall Munroe in 2011 showed this perfectly when he proved that the password “Tr0ub4dor&3” would take 3 days to crack at a guess rate of 1000 guesses per second while the phrase “correct horse battery staple” would take 550 years at the same rate. Thus, it makes far more sense for people to pick four common random everyday words and use them all the time. And because they wouldn’t need to change them, remembering them would be easy. Also, they could be unique as everyone can construct a random word selection that means something to them, but means nothing to anyone else.
What does this mean for the life and pensions industry? As we increasingly expand our services to allow customers online access both to buy and to service their policies, we need to be very careful that we manage to secure the data, not just appear to secure it.
We need to help customers by shifting our emphasis to providing password security approaches which make it easier for humans to remember their passwords but much harder for machines to guess them. That probably means doing away with a lot of the current password checking systems, which generally start indicating your password is strong as soon as you enter an “@” or a “[“ symbol, and move to allowing actual phrases to be used, thus encouraging longer passwords of the type that people should find much easier to remember.
In some ways, this is more important for the life and pensions industry than many others, as we can expect our customers to have long-term relationships with the company, due to the long-term nature of the product. Providing simplified access whilst ensuring a high level of data security will increase confidence in the industry, a core advantage in an industry that deals with people’s money.
It may take a while to switch over to a new approach, but if people start using much longer passwords, then just one will suffice for them for all the systems they have to log onto, thus relieving them of the burden of remembering multiple passwords. Which will be a tremendous relief to the average user and, as an added bonus, it will make systems far less vulnerable to the type of automated hacking that is becoming ever more common globally.
|