Who makes the rules?
Hackers love them. Security auditors like to engineer them. The average person hates them. IT support teams use them for jokes. Our computer passwords have an identity crisis! Do passwords protect us or are they just a nuisance to our everyday lives? I find weekly articles about how hackers can crack most passwords in minutes. For some thieves, cracking a password isn’t enough fun, so just steal them. It seems the value passwords bring for protecting information is diminishing.
Industry experts created password complexity rules we should all follow to make the passwords more secure. That makes it a little harder for hackers to crack a password but does not make them theft-proof. Unfortunately, it also drives many people without a password system to write down their password on paper. Who can remember words with all those special characters and capitalizations? In essence, to get the user more secure the rules made their system less secure.
Businesses implement password complexity rules to meet a couple of constraints: a security control they are given and limitations from the software system they are using (i.e. field length, characters allowed). The result for all us is an inconsistent set of rules to govern passwords for all the systems we use. Is it 8 characters or 10? Does it require special characters? Can I reuse a password I used two years ago?
What you know and have.
Several years ago, a popular method for authentication security was created to offset the weaknesses of a single password system. Two-factor authentication is based on the idea of something you know and something you have. So for example, I know a password and I have a phone where you send me a second code. Or I know a password and I have a physical security card I can tap or read.
Now, Microsoft is experimenting with removing the password requirement completely. Their new system would make life easier for their customers because it doesn’t require a pesky password for data access. Well kind. It requires a pin from the phone to get access. I see this as a hybrid two-factor authentication. Something I know, my phone PIN. Something I have, my mobile device. If I lose or misplace my phone they say there is an option to revert to a standard password. Would you use this?
Protecting data with authentication systems is a good study in human behavior. We protect the data because we don’t want others to see it. We protect access because some people steal data. We develop authentication systems that try to find a balance between human usability and password complexity. I can see this as a college class. Psyc 231 – Human behaviors for data access and protection.
Photo Credit: Thomas Au via Creative Commons. https://flic.kr/p/dT3HaA