Password Protection? Forget It

According to Kim-Phuong Vu, a lot of users try to remember half a dozen passwords. Which is why the most common password is "password."

That's why Vu, author of the recently published Stimulus-Response Compatibility: Data, Theory, and Application is trying to come up with ways to promote the generation of secure and memorable passwords. One approach she identified involves was writing a sentence that encapsulates the password itself, so that the context of the sentence can provide cues to recall the password. "The problem with this method is that people remember the gist of the sentence and without the specific cues, the password cannot be remembered," Vu says.

Vu, who is a assistant professor in the Psychology Department at California State University, Long Beach, goes on to say that the average password is easy to crack, but access to biographical data makes guessing that much easier with favorites being birthdays and children’s names. "My colleagues and I use an easily obtained cracking device called LC4 to crack passwords," she said. "It sources a dictionary to try words and combinations of words. It often cracks a password without knowing anything about the user. My research says that 60 percent of passwords can be cracked within a few hours, and some in less time than that."

Proactive password protection demands a requirement of upper or lowercase letters, numbers, special characters, and the like. Users generate a private password from these elements. The idea is that using these mechanisms makes cracking a password that much harder but her research has found a big trade-off between memorability and security. "The easier to remember a password is, the easier it is to crack," she said. "The ones that are harder to crack are the ones that are hard to recall and there’s the problem."

The key to future password security is price. The cheaper the security, the more likely it is to be used. "Voice recognition is improving all the time but it is not ready yet," she said. "The government can afford high-fidelity systems but everyday users cannot."

There is a lot at risk with easy-to-crack passwords. A password can be used to guard a bank account and if that goes, so goes the cash. "A password can guard my grades and breaking in to gain access to my files means the whole class gets A's," she said. "If I published corrupted data, my credibility is gone. A company loses money if someone hacks into their system. If a Web site collapses through password security, that is a loss to business. For example, if an airline has a security breach that allows users to change the very rates they charge, they may have to honor those rates. Password security has many implications for the individual and society at large. There are varying degrees of risk. This problem will get more serious as we rely more and more on the Internet."

Vu believes the password is here to stay. "Fingerprints and retina scans are expensive. Password security is affordable and generally accepted by users, even if it is not the securest form of protection," she said. "When you ask the typical user if they are interested in recording their fingerprints or retina, they squirm."

Memory is affected by many things including age and gender but one key is practice. "It is less a matter of not forgetting and more a matter of training yourself to remember, " she said. "Everyone has memory problems, no matter what their age. Memory depends on many factors. For instance, culture has little effect on short-term memory when you take into account factors such as pronunciation rate."

Posted by Jon Erickson at 03:47 PM  Permalink