Journal of Computer Security and Usability

March 29, 2013

Passwords: The Best Worst Security Solution in the World

It’s been nearly seven months since I’ve written anything, partially because I don’t have any free time anymore and partially because I’ve committed to this site being much more focused on computing theory and research and less about complaining how people use computers wrong. But there is still one thing we do wrong with computers that I can complain about.

The line between the human and the computer is defined at the human-computer interface. If we are unable to accurately communicate with the computer, then we are unable to utilize it to perform work. This becomes exacerbated if the computer is a complicated system, such as a secure computer system. User interface design in the context of secure systems is an imperative topic of study as secure computer systems increasingly become a part of our day-to-day life.

Making Secure Systems Usable

The usability requirements of secure systems is a field that has been under study roughly since the early 2000s. The first widely acknowledged framework for analyzing the usability attributes of secure systems was published in 2002 by Ka-Ping Yee, a UC Berkeley researcher turned Google engineer. Secure systems have traditionally been designed with security as a sole priority, and usability being little more than an afterthought. In consequence, users do not understand the system since the user interface provides a poor mental visualization of the state of the system. Users not understanding the system leads to user frustration, which in turn leads to problems that cause significant deteriorations in productivity and security.

Yee’s framework outlines ten principles of user interaction design for secure systems that can alleviate user frustration by giving users a much clearer perception of the system, therefore granting users a better understanding of the system’s capabilities. Our systems become more secure when users are led to accurate conclusions about the system through what its user interface implies, and users can therefore make safer, better informed security decisions while using the system.

By far, the most common and ubiquitous secure user interface we interact with on a daily basis is the password prompt. But as humble as this basic security control may appear, it is a venerable destroyer of digital worlds; a mechanism that is so clunky, so insecure, and so difficult to manage, but we cannot seem to come up with a viable replacement that addresses all of its ills.

Enterprise “Best Practice” Policy

Nowhere are the deficiencies of passwords more glaring than in the enterprise. Two stereotypes have converged to create the tar pit that is modern day enterprise password management. Firstly, users have become accustomed to being told that everything about the security of their institution’s system is a secret, and they will receive little to no education about the cyber threats that their institution must defend against. This fosters a user outlook on security that is alarmingly apathetic.

Second, it has been IT policy for the last fifteen years to regard the user as some sort of rambunctious child, and therefore providing any sort of educational resources is a hopeless waste of time. What you end up with is modern password policy — a messy seesaw of over-regulation biased heavily in the favor of draconian security over usability, to the point where it becomes a beast of burden that thoroughly weakens the security of the system that it is supposed to protect.

Most alarmingly, modern enterprise password “best practice” policy is riddled with contradiction that disregards academic secure usability research and only fuels more disdain and apathy among the users that it is supposed to serve. One of the biggest of these contradictions is the adage in corporate IT that “the strength of a password is traditionally reckoned by its length and complexity,” with some groups advocating passwords with minimum sizes that reach 14 characters in length and do not contain any semantic content, while at the same time are required to contain camelcases and exceptionally difficult to remember punctuation.

Nearly all accepted usability frameworks rank mental effortlessness as a requirement that must be provided by a usable system, and modern enterprise password policies fail this requirement outright. To cope with the introduced stress — a natural thing for humans to do — users are tempted to write down their passwords, however enterprise password policies very expressly prohibit this practice, often levying harsh penalties and making public examples of those that violate this rule.

To be perfectly honest though, the realism of the “don’t write down your password ever” rule makes the assumption that your enterprise employs IT officers with peaked hats and knee high boots that follow users around all day and make absolutely sure that they do not write down their password … its absolutely delusional to call this an adequate policy!

Password Aging: Openly Declaring War on the User

And tossing kerosene onto this fire of user stress is password aging and rotation requirements. Despite both academic and enterprise research recognizing password aging as a major contributor to users forgetting their passwords, password aging and rotation policies continue to be hawked as good security practice. Requiring and actively enforcing rotated passwords to be dramatically different from one another has also become recommended in recent years, and is again a severe detriment to usability.

Studies going as far back as 1999 have identified password rotation as the source of user sentiment in which users feel that that they are “forced” into consciously circumventing their institution’s security policies, and consequently users begin using weak passwords and writing down passwords out of pure frustration and contempt. The last 15 years of IT password policy has done nothing but create complaisance; users routinely create passwords that are “… very simple choices that are easy to guess.” Users write down passwords in retaliation to policy, “… because I was forced into changing it every month I had to write it down.”

A secure system is a system that must provide a path of least resistance; any system whose policies entice users to engage in the conscious circumvention of security measures in order to achieve that path is — by definition — not a secure system.

We Use Passwords Because There Isn’t Anything Better

The worst part about this entire debacle is that there isn’t a better solution that offers remarkably increased usability while still preserving the time-tested security and deployability benefits of text passwords. The study of how to improve passwords goes back to the 1970s, and to this day we still have not been able to come up with a viable alternative.

One of the more intriguing alternatives out there are authentication systems known as cognitive passwords. Cognitive passwords are systems that require a user to answer a question whose answer is intrinsic to the user, rather than something the user has actively memorized. The earliest cognitive authentication systems — developed in the late 1980s and early 1990s — used sets of questions that were either fact based — something the user knows whose answer is independent of the user’s feelings — or opinion based — something in which the personal opinions of the user determine the answer.

Studies on these systems have shown cognitive authentication systems to be far more usable than traditional text passwords: one study gave a group of users twenty questions to answer, then asked the users these questions again unexpectedly six months later. On average, users were able to remember the answers to 94% of their questions correctly after six months, 86% after one year.

Another study had users memorize a combination of fact-based cognitive questions, opinion-based cognitive questions, and a traditional text password that the user had to create for the study. After three months, users were able to correctly recall the answers to 94% of their fact-based questions and 88% of their opinion-based questions, which is an astounding number when compared to to correct rate of recall of the text password, which was only 35%.

As promising as these systems were, they never caught on as primary authentication systems. However they are still among us today most commonly as secondary authentication systems that are used for scenarios such as when a user forgets their password.

Secure Usability Conundrum

The dramatic expansion of web-enabled consumer applications — driven largely by advances in cloud computing technologies in the late 2000s — has created a secure usability conundrum for users.

On one hand, every aspect of their computing life has been placed online, and can be accessed from anywhere in the world on any commercial device manufactured, enabling astounding convenience.

On the other hand, this accessibility requires security, and the best system we have for authenticating users has literally been in constant use since the first time-shared operating systems were developed in the dawn of computing.

Passwords were designed in a time when engineers could never imagine that there would be hundreds of systems accessed by users every day through the course of their work and leisure; every single one of them requiring a password that the user physically rehearsed and memorized. While alternatives to the text password have been developed in recent years that aim to address the memory-effortless problem, more work in the field will need to be done to develop usable systems that still match the unquestionable security and deployability attributes of the traditional text password.