Community News Security

The human side of password security

By Andrea Pinzani, IT security expert at the Consortium GARR

On average, each of us owns from 20 to 40 accounts. Unfortunately, however, we are not very good at creating strong passwords. We prefer short ones, often using personal information, common words, predictable strategies and composition or replacement schemes. We’re not even very careful at keeping them safe either. Despite being informed about password good practices, we do not make the right choices to protect ourselves, due to several intangible factors.

The main reason is convenience. We want passwords that are easy to remember – which makes them weak. We do this for fear of forgetting them, although some studies suggest that this concern is excessive.

In conceiving a password, we draw on what is already present in our memory, we think about what we like, hobbies, desires and, unfortunately, also specific data such as the names of family members, dates of birth, telephone and licence plate numbers etc. It’s not just a question of being lazy. We establish a link with our passwords, the unconscious is released in this intimate context that should remain secret. For some, that series of characters is a moment of liberation, of emotional release. Passwords reflect personality: those who are scrupulous will choose longer and more complicated ones, those who are relaxed and self-confident may never change them.

We believe that our choices are original and we can conceive valid methods to create strong passwords, but most of them are actually poor and can be easily cracked. Personal information can be easily sifted from social media.

We want to keep all our passwords in mind, that is, keeping control.
If we forget the password, recovery is an inconvenience.
We think our data isn’t interesting enough to be worth a hacker’s attention.
Every security measure is an overhead and hinders our work.

Everybody pays attention to the security of what they physically own, be it their wallet or their purse, but when it comes to something as immaterial as data, things change entirely.

People just tend to place less value on what’s digital because it’s intangible. We tend to underestimate the risk. The dominant attitude seems to be: “Security is important, and violations can be disastrous, but it didn’t happen to me“. It is like the attitude we have towards car accidents or illnesses. We don’t worry about the negative consequences of our behaviour unless we think there will be immediate consequences for us.

A study found that the trade-off between security and convenience can be positively influenced by a time factor. In other words, the time frame that a user associates with a given event influences their attitude. In choosing a password, for instance, the goal of protecting oneself from identity theft (security) is perceived as a future possibility. In such case, the mind works more abstractly and effectively. On the other hand, the need for a viable password easy to remember is felt as a short-term necessity. In this cases, the mind is more pragmatic and the goal is simplicity (weakness).

Users may think: “Now my problem is not to achieve security (by choosing a secure password), but to create a password (by choosing one that’s easy for me to remember).”  So the objective can be distorted; moreover, a sense of urgency, due for instance to a system prompt waiting for response, can generate anxiety.

Better passwords are created for banks than for email accounts. The type of account is therefore a possible motivation for giving up convenience in favour of security. It is the fear of incurring in possible damages that leads to greater commitment.

Data breach is a big source of credentials theft. Hackers attack e-commerce sites and steal all customer information, including passwords. Or they just buy stolen credentials from the dark web.

Attackers make the same assessments as we do on the quality of passwords, and carry out more effective attacks using recurring password lists from data breaches. Current processing speeds have made eight-character passwords easily crackable.

Because of weak passwords and the increasing number of attacks, organisations have imposed stricter requirements on password complexity. Greater length, large character set (upper case, lower case, numbers and symbols), no vocabulary words, never writing down, only memorising.

These rules coerce people to create passwords that are difficult to read and memorise, and they are annoying and frustrating  for them. There are a few mnemonic techniques users can adopt to make their life easier, as for example using the first letters of famous sentences, poems, etc. However, if the password has to be changed often users may be unable to recall which mnemonic they should use. Furthermore, mnemonics that lead to passwords like “2BOrNot2B” also make them easier to guess.

Complexity requirements don’t work, and besides, they lead users to make errors.

Analyses of cracked passwords databases show that increasing complexity does not make passwords stronger. When people are forced to create complex passwords, the result can be poor. Some letters and numbers are more frequently used, and only rarely the whole set of characters is actually used. If a mandatory pattern is set, you can rest assured that users will use it in predictable ways. For example, “Pa55word!” complies to common rules, but is a well-known, and hence a weak combination.

It is a well-established fact that reusing the same password on multiple accounts is wrong, but many users do it nonetheless. They select only a limited number of passwords satisfying the requirements, then they reuse them everywhere. If a hacker steals a password more than one account is compromised. Most users use the same passwords both at home and at the office, thus potentially compromising their work environment too.

When excessive effort is required, users can react by finding workarounds to make their life easier. For example, on systems that do not allow reusing the last five passwords, users may change them voluntarily several times, till they are enabled again to use their favourite one. The so-called password fatigue is the sensation experienced by those who need to remember an excessive number of passwords, and it is one of the many factors contributing to stress.

By combining the effect of data breaches and password reuse, the risk of illicit access is amplified.

Another error is to write down passwords insecurely (e.g. with a sticky note on the user’s monitor, in a drawer, or in a not encrypted file on the PC or mobile phone). The suggestion here is to allow writing down passwords, but only in a secure way, e.g. by keeping them in a safe or in the wallet.

Another error is forcing users to periodically change the password. When using a complicated password, changing it does not make much sense. You don’t change your security lock at home for extra protection, you only do it when you’ve reason to believe it may be compromised.

Instead of concentrating on what would be a theoretically perfect password, we should use common sense and also take into account the human factor. If we want solutions that really work, we should negotiate them with the people who are going to use them, taking stock of how they think. Informing users on the right things to do is not enough, they shouldn’t be left to their own devices.

 Tips & advice to cap it all

  • Raise awareness among users and motivate them. Increase risk awareness, by explaining attacks like phishing and social engineering, and dogmas like “never reveal passwords”. Some users don’t change passwords even after learning of a data breach. Highlight that the benefits also involve personal passwords they may be using at home.
  • Concentrate on the ease of use. Implement alternative authentication systems, like the Single Sign-On (SSO), which reduces the need to remember many passwords.
  • Encourage the use of passphrases (e.g. diceware), of at least 20-30 characters. They are easier to remember than passwords and more difficult to guess. The key to strength is length, not complexity.
  • Use a password strength meter to produce strong passwords.
  • Use a random generator of passwords or passphrases.
  • Use a password manager to store passwords in encrypted form. This way, only a master password is needed. File backup is crucial, as well as keeping the master password in a safe place.
  • Adopt technologies that allow the automatic entry of credentials.

About the author

Andrea Pinzani is an IT security expert at the Consortium GARR. Since 1999 he has been working at GARR-CERT (cert.garr.it) which reports and manages IT security incidents, publishes security alerts on the most common vulnerabilities, provides support and training to users in the field of cyber security and is also dedicated to the study and analysis of cyber intelligence sources for operational data protection.


Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020