Articles - A false sense of security

Most people dread the bi or tri-monthly message that flashes up on their screen when they sign on – “Your password has expired. Please select a new one.” Just as their fingers have managed to become almost automatic at putting in the random string of mixed letters, numbers and symbols, randomly capitalised, they are forced to start learning a new one.

 By Tom Murray, Head of Product Strategy, Exaxe.

 Ultimately, most of us cheat and end up with a slight variant on the previous one, which will only trip us up a few times in the first week of the password. And then on we go until we get the next change mandated upon us 90 days later.

 The reason for this is that a seminal work from the 2003 NIST Special Publication 800-63. Appendix A,” became the bible of the IT security industry and every IT department promptly enforced the rules within it as a means of showing everyone that they were doing everything possible to secure data on the company’s systems. Thus, we were all reduced to having to come up with random passwords we struggle to remember, with bizarre capitalisations and substitutions of symbols for related letters such as “SiMb0lyc156” as an example.

 Now the man behind the original document has recanted. In a piece in the Wall Street Journal, former National Institute of Standards and Technology manager Bill Burr has said that the whole approach was misguided. It turns out that the key factor is the number of bits of information that must be cracked in order to find out what the password is. The current approach is based on what looks like a hard word to remember is only difficult for humans. Computers see it as a collection of symbols and don’t need it to make any sense. Therefore, the shorter it is, the quicker the algorithm can run through the number of combinations in order to get to the answer. So, hacking in by outsiders using automated hacking algorithms is much easier for those short words that look difficult, than it is for longer words or phrases that make sense to the user but are much longer. In short, we have focused on using passwords that are hard for us to remember, because they don’t make much sense, but have forgotten that computers don’t work in the same way.

 A cartoon drawn by Randall Munroe in 2011 showed this perfectly when he proved that the password “Tr0ub4dor&3” would take 3 days to crack at a guess rate of 1000 guesses per second while the phrase “correct horse battery staple” would take 550 years at the same rate. Thus, it makes far more sense for people to pick four common random everyday words and use them all the time. And because they wouldn’t need to change them, remembering them would be easy. Also, they could be unique as everyone can construct a random word selection that means something to them, but means nothing to anyone else.

 What does this mean for the life and pensions industry? As we increasingly expand our services to allow customers online access both to buy and to service their policies, we need to be very careful that we manage to secure the data, not just appear to secure it.

 We need to help customers by shifting our emphasis to providing password security approaches which make it easier for humans to remember their passwords but much harder for machines to guess them. That probably means doing away with a lot of the current password checking systems, which generally start indicating your password is strong as soon as you enter an “@” or a “[“ symbol, and move to allowing actual phrases to be used, thus encouraging longer passwords of the type that people should find much easier to remember.

 In some ways, this is more important for the life and pensions industry than many others, as we can expect our customers to have long-term relationships with the company, due to the long-term nature of the product. Providing simplified access whilst ensuring a high level of data security will increase confidence in the industry, a core advantage in an industry that deals with people’s money. 

 It may take a while to switch over to a new approach, but if people start using much longer passwords, then just one will suffice for them for all the systems they have to log onto, thus relieving them of the burden of remembering multiple passwords. Which will be a tremendous relief to the average user and, as an added bonus, it will make systems far less vulnerable to the type of automated hacking that is becoming ever more common globally.








Back to Index

Similar News to this Story

Aiming for calm seas in our market reforms
The size and scale of the UK financial sector is worth reflecting on. It employs more than 2.5 million people and produced £278bn of economic output
Key innovations and changes impacting insurers in 2024
The speakers explore the impact of AI in the insurance industry, the industry's role in social issues, climate change, closing the global protect
Murder on the LPI floor
DB schemes, by and large, are in a far healthier position than they have been for over a decade. This is good news, but it also changes the challenges

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS


Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.