Security is not just about strong encryption, good anti-virus software, or techniques like two-factor authentication. It's also about the "fuzzy" things ... involving people. That's where the security game is often won or lost. Just ask Mat Honan.
We – the users – are supposed to be responsible, and are told what to do to stay secure. For example: "Don’t use the same password on different sites." "Use strong passwords." "Give good answers to security questions." But here’s the troublesome equation:
... which means it only gets harder and harder to follow such advice. Why? Because security and practicality are in conflict.
#### Markus Jakobsson
##### About
A security [researcher](http://www.markus-jakobsson.com/research), Dr. Markus Jakobsson is one of the main contributors to the understanding of phishing and crimeware. He holds over 50 patents and 100+ pending patents; is a co-founder of four startups spanning user authentication, mobile malware detection, and secure user messaging; and has published a collection of [books](http://www.amazon.com/Markus-Jakobsson/e/B006J03SOA/). Jakobsson is Principal Scientist of Consumer Security at PayPal.
But they don’t have to be. As someone who has studied millions of passwords and how they were constructed – I’ve spent most of my waking hours for over a decade obsessing about authentication methods – I say we can have both security and practicality.
And it starts with recognizing that a lot of security advice hurts more than it helps.
Security specialists – and many websites – prompt us to use a combination of letters, numbers, and characters when selecting passwords. This results in suggestions to use passwords like "Pn3L!x8@H", to cite a recent Wired article. But sorry, guys, you’re wrong: Unless that kind of password has some profound meaning for a user (and then he or she may need other help than password help), then guess what? We. Will. Forget. It.
What Good Is a Password We Can’t Remember?
Obviously, we need something that is both secure and which we can remember. Whoever asks us to use meaningless sequences of letters, numbers, and characters worries more about security than about practicality. We need to resolve this tension, or we will forever be faced with vulnerabilities to hackers, or lack of access to our data.
We need new password approaches.
One common suggestion is taking a word, let’s say "Elvis", and replacing letters with digits to get "3lv1s". While this makes a password memorable – presuming we won’t forget Elvis – it doesn’t* *make it that much more secure. Because everybody makes changes just like that.
>Online criminals know much more about passwords than the good guys do.
Furthermore, when forced to add a numeral and a special character, people just add "1" and an exclamation point at the end. While this does get your password accepted on most sites, it doesn’t make the password much stronger.
Because hackers know all our tricks. Online criminals know much more about passwords than the good guys do.
The irony is that most sites will tell us a password like "3lv1s" or "3Iv1s!" is secure (though it might be a bit too short on some sites). This is because today’s password strength checkers don’t measure password strength, but rather, count individual characters and simply make sure passwords have numerals and special characters.
They fool us into thinking that bad passwords are good – and that some good passwords are bad.
The community of security experts has naively assumed that digits and exclamation marks mean more security, when in reality these just result in lower recall rates. Instead, password strength checkers should break down passwords into their components, most typically words – because that’s how people naturally think and communicate. The strength checker can then determine (1) what words a given password consists of, and (2) how common or frequent those words are. The product of those frequencies is a much better estimate of the password’s strength than whether the password contains a particular character or not.
So how do we select strong and memorable passwords? Here’s how: Think of a story, something weird and memorable that happened to you. Like that time you went jogging and stepped on a rat (ugh). Your password? "JogStepRat": Your personal story boiled down to three words. If this really happened to you, you won’t forget. And no one else can guess it – unless you’ve told everyone that story, but then you’d just pick another, more embarrassing source story you'd never share!
This approach isn’t just conjecture: It works. It's been tested at a large scale, and this type of password has twice the bit security of an average password. I kid you not.
Turns out, research has a lot to say about not just passwords, but the security questions used to remember them, too. Because most of those questions are pretty atrocious.
>A common, bad security question is "mother’s maiden name".
A horribly obvious one is "Favorite color?" Red. Green. Yellow. Purple. How many people actually pick the lesser-known color "Caput Mortuum" as their answer? This isn’t the user’s fault: Whoever decided that favorite color can be used for authentication is to blame. Similarly, questions like "Brand of your first car?" aren't recommended either, because we're more likely to start off with a Dodge or a Honda than with a Bentley.
The problem with both of these questions is that most people will choose from a very small set of answer options.
Another common, bad security question is "Mother’s maiden name?" By using easily available public records, hackers can derive more than a tenth of people’s mother’s maiden names with certainty – and a lot more with pretty high probability.
So some security experts suggest you get creative with password questions. (Et Tu, Wired?) While the approach of answering favorite color with "Abraham Lincoln" and brand of first car with "Dandelion" seems great in theory, it doesn’t work in practice. Again, because: We. Will. Not. Remember.
Why would we remember one nonsense thing (the answer to a creative security question) when we can’t remember another (the very password we forgot in the first place)?
The best security questions, generally speaking, are those where:
- there are many possible answers;
- others can't find the answers using a quick Google search; and
- we can actually remember the answer, but others would have a hard time guessing it.
It’s the same underlying approach, in fact, as the password approach I shared above: a focus on security and practicality. We don’t need a complex password / security question solution – at least on the front end. On the back end, however, a lot can be done if we structure things in a meaningful way.
So what are examples of good security questions? People’s preferences turn out to be a great starting point. For example: likes olives but can’t stand volleyball; these are the kinds of things we'll comfortably recall in a year. Surprisingly, most of these preferences are actually very difficult for others to guess – even by people who think they know you. In tests where we asked people to guess the preferences of their colleagues, friends, and spouses, only the spouses got enough answers right to pass.
That’s the secret to security: We have to remember that much of the time, the problem involves users ... and that users are people – not machines.
Editor: Sonal Chokshi @smc90