Articles - A false sense of security


Most people dread the bi or tri-monthly message that flashes up on their screen when they sign on – “Your password has expired. Please select a new one.” Just as their fingers have managed to become almost automatic at putting in the random string of mixed letters, numbers and symbols, randomly capitalised, they are forced to start learning a new one.

 By Tom Murray, Head of Product Strategy, Exaxe.

 Ultimately, most of us cheat and end up with a slight variant on the previous one, which will only trip us up a few times in the first week of the password. And then on we go until we get the next change mandated upon us 90 days later.

 The reason for this is that a seminal work from the 2003 NIST Special Publication 800-63. Appendix A,” became the bible of the IT security industry and every IT department promptly enforced the rules within it as a means of showing everyone that they were doing everything possible to secure data on the company’s systems. Thus, we were all reduced to having to come up with random passwords we struggle to remember, with bizarre capitalisations and substitutions of symbols for related letters such as “SiMb0lyc156” as an example.

 Now the man behind the original document has recanted. In a piece in the Wall Street Journal, former National Institute of Standards and Technology manager Bill Burr has said that the whole approach was misguided. It turns out that the key factor is the number of bits of information that must be cracked in order to find out what the password is. The current approach is based on what looks like a hard word to remember is only difficult for humans. Computers see it as a collection of symbols and don’t need it to make any sense. Therefore, the shorter it is, the quicker the algorithm can run through the number of combinations in order to get to the answer. So, hacking in by outsiders using automated hacking algorithms is much easier for those short words that look difficult, than it is for longer words or phrases that make sense to the user but are much longer. In short, we have focused on using passwords that are hard for us to remember, because they don’t make much sense, but have forgotten that computers don’t work in the same way.

 A cartoon drawn by Randall Munroe in 2011 showed this perfectly when he proved that the password “Tr0ub4dor&3” would take 3 days to crack at a guess rate of 1000 guesses per second while the phrase “correct horse battery staple” would take 550 years at the same rate. Thus, it makes far more sense for people to pick four common random everyday words and use them all the time. And because they wouldn’t need to change them, remembering them would be easy. Also, they could be unique as everyone can construct a random word selection that means something to them, but means nothing to anyone else.

 What does this mean for the life and pensions industry? As we increasingly expand our services to allow customers online access both to buy and to service their policies, we need to be very careful that we manage to secure the data, not just appear to secure it.

 We need to help customers by shifting our emphasis to providing password security approaches which make it easier for humans to remember their passwords but much harder for machines to guess them. That probably means doing away with a lot of the current password checking systems, which generally start indicating your password is strong as soon as you enter an “@” or a “[“ symbol, and move to allowing actual phrases to be used, thus encouraging longer passwords of the type that people should find much easier to remember.

 In some ways, this is more important for the life and pensions industry than many others, as we can expect our customers to have long-term relationships with the company, due to the long-term nature of the product. Providing simplified access whilst ensuring a high level of data security will increase confidence in the industry, a core advantage in an industry that deals with people’s money. 

 It may take a while to switch over to a new approach, but if people start using much longer passwords, then just one will suffice for them for all the systems they have to log onto, thus relieving them of the burden of remembering multiple passwords. Which will be a tremendous relief to the average user and, as an added bonus, it will make systems far less vulnerable to the type of automated hacking that is becoming ever more common globally.

  

  

  

  

  

  

 
  

Back to Index


Similar News to this Story

Actuarial Post Magazine Awards Winners Edition December 2024
Welcome to the Actuarial Post Awards 2024 winner’s edition and we hope you enjoy reading about their responses on having won their award. The awards
Guide to setting expense reserves under the new Funding Code
The new defined benefit (DB) funding code of practice (new Funding Code) requires all schemes to achieve funding levels that ensure low dependency on
Smooth(ing) Operator
Private equity can be a great asset. It’s generally the most significant way to have any real world impact as an investor (eg infrastructure assets li

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.