Password management done right

May 6, 2014 – 5:53 PM

David Sancho, senior threat researcher with Trend Micro, has recently written a short but good post in which he pointed out the reasons why despite their inherent insecurity, passwords are here to stay.

Among the advantages they offer are the fact that they can be used straight away, and that they are a good alternative to tying yourself to a specific authentication token, smartphone or location (and all the problems that might arise from that – lost devices, dead batteries, etc.).

He ended his post by giving advice to users on how to choose strong passwords, encouraged them to start using software for managing them, and finally, to use two-factor authentication where possible.

The adoption of the latter is not happening fast enough – whether because many services don’t offer the option, or users are simply not taking advantage of it where it exists – and instructions on how to create strong passwords often falls on deaf ears, so people like Lance James, head of Cyber Intelligence at Deloitte & Touche, are toying with some ideas that would force users to change their password-picking habits.

“One thing I’ve learned about humans is that in most cases, they will take the path of least resistance when it comes to change management, and only when applied pressure (road block is a nice way of putting it) or a reward is offered does this usually disrupt this path,” he recently noted in a blog post.

“We spend a lot of time telling the user to ‘do this because security experts advise it, or it’s part of our policy’ but we don’t really provide an incentive or an understanding of why we tell them to do this. Well humans are programmable, and the best way to see the human brain is to look at it like a Bayesian network. It requires training for it to adapt to change, and repeated consistent data to be provided.”

His proposed solution – described as “Pavlovian password management” – is to create a system that would allow users to choose weak passwords, but would penalize them by making them expire in a few days.

Source:
http://www.net-security.org/secworld.php?id=16808

You must be logged in to post a comment.