Password management done right

David Sancho, senior threat researcher with Trend Micro, has recently written a short but good post in which he pointed out the reasons why despite their inherent insecurity, passwords are here to stay.

Among the advantages they offer are the fact that they can be used straight away, and that they are a good alternative to tying yourself to a specific authentication token, smartphone or location (and all the problems that might arise from that – lost devices, dead batteries, etc.).

He ended his post by giving advice to users on how to choose strong passwords, encouraged them to start using software for managing them, and finally, to use two-factor authentication where possible.

The adoption of the latter is not happening fast enough – whether because many services don’t offer the option, or users are simply not taking advantage of it where it exists – and instructions on how to create strong passwords often falls on deaf ears, so people like Lance James, head of Cyber Intelligence at Deloitte & Touche, are toying with some ideas that would force users to change their password-picking habits.

“One thing I’ve learned about humans is that in most cases, they will take the path of least resistance when it comes to change management, and only when applied pressure (road block is a nice way of putting it) or a reward is offered does this usually disrupt this path,” he recently noted in a blog post.

“We spend a lot of time telling the user to ‘do this because security experts advise it, or it’s part of our policy’ but we don’t really provide an incentive or an understanding of why we tell them to do this. Well humans are programmable, and the best way to see the human brain is to look at it like a Bayesian network. It requires training for it to adapt to change, and repeated consistent data to be provided.”

His proposed solution – described as “Pavlovian password management” – is to create a system that would allow users to choose weak passwords, but would penalize them by making them expire in a few days.

The stronger the chosen password, the longer the period between the initial and the next required moment of choice of a new password. In addition to seamlessly training users to choose better passwords, it would also teach them that no matter how strong a password is, it should be regularly changed.

“[The scheme] could scale password changes over time, since they won’t have to be done at the same time, also reducing predictability and making expiration/changes dependent upon the user,” James notes. “[It] could be also turned into a form of a game such as earning badges for ‘strongest password of the month’, or ‘top 10 security conscious users this week’.”

He makes some good points, and I, for one, would like to see this type of system implemented. Add to this the use of a password manager – one that hopefully has a password generator – and juggling passwords should not be a problem anymore.

Intel is also doing its part to teach users the importance of strong password choices and has recently announced World Password Day 2014, an initiative aimed at propagating good password practices among users. Help Net Security is a supporter of the initiative.

Also, if you are interested in additional tips and information about password alternatives, you can check out the interview we recently did with Per Thorsheim, the founder and main organizer of PasswordsCon, the first and only international conference on passwords.