Maximum Security

I hold in my hand a letter from American Scandia, the administrator of one of my 401k accounts, that reads, in part:

For added protection of personal information relating to your annuity, we are issuing you the following Personal Identification Number (PIN): 8614. You will be asked to provide your PIN when you call....In addition, you will be required to furnish us with your PIN each time you request a transfer of funds within your annuity....Please memorize your PIN and keep a copy with your other important annuity documents....

So I have the choice of memorizing yet another four digit number or pawing through my safe deposit box (during regular banking hours only) every time I want to phone this company. Now that’s convenience!

Security in our nation’s computer systems is in trouble, and the fault lies with an education system turning out security people unprepared to build real-world secure systems. As a result, many of our most secure-appearing systems sport all the impenetrability of a slice of Swiss Cheese.

Take American Scandia, for example. What do you think most people receiving the above letter are going to do? Memorize yet another PIN? Not bloody likely. Instead, this new PIN will be added to those already scrawled on the note pad beside the phone or along the edge of their monitors. They may even jot the PIN down in their address book, so they (or anyone finding the address book) can call Scandia from anywhere.

Some security.

This problem arises when security architects, in the absence of an understanding of the habits and capabilities of "real people," design systems that are almost impossible for real people to use. But just as often, you will find systems where the security people have bent over backwards to be helpful, so helpful, in fact, that they are causing just as much mischief.

I joined Traveler's Advantage a couple weeks ago and dutifully typed in my password twice, seeing the little row of asterisks each time echoing the characters. Then I clicked Next. Guess what? On the following screen, they showed me a summary of everything I’d typed in, including my password!

Like most people, I do not use an infinite number of PINs and passwords. I used one PIN for my ATM card only and use one additional PIN for sort of general-purpose PIN-like things. I use one six-character password for a wide variety of non-critical stuff, and one super-duper password with mixed-case letters, numbers, and hieroglyphics for few the really important things. That’s a grand total of four passwords to memorize (and I still have to practice them once a week to keep in form).

When someone shows my password on the screen, even though their service is hardly worthy of a password, they are showing one of only two alpha passwords I use, a password that is my entrance into at least 30 different services! That is a major security breech.

But Traveler's Advantage wasn't through. They then fired off an acknowledgment, via insecure e-mail, that read in part:

Welcome to Travelers Advantage!

Here is your membership information:
-----------------------------------
Name: Bruce Tognazzini
E-mail Address: tog@bas.com
Member Number: 543903427
Username:tognazzini8
Password:foobar

What is wrong with these people?

What’s wrong is that security people typically have zero training in human factors. They know everything there is to know about networks and operating systems, but human beings? Not even on the radar screen.

Interaction designers must take up the responsibility for supplying that critical half of the security picture that has to do with people, not systems. The good news is that security people will listen to cogent, well presented argument. As long as you well-present it enough times.

Apply the following Guidelines to achieve a balance of appropriate security and usability:

• Allow people to choose their own UserID.
  
  "Tognazzini8," for example, may seem simple, but only to the computer generating it. How, six months from now, am I to remember even that my UserID is my last name plus a number, let alone what that number is?
  
  
• Make inputs for UserIDs flexible.
  
  If you insist on the UserID being an account number, don’t fault people for forgetting a hyphen or adding an extra space or two.
  
  
• When requiring correct case, accept “case-inverted” UserIDs and passwords.
  
  For example, “Tog99” or “tOG99,” so that having the Caps Lock key down doesn’t prevent people from accessing your service.
  
  
• Allow people to choose their own password.
  
  
• Don’t require weird constructions in the password, like the fourth character must be a punctuation mark.
  
  If you do, users will have to make up special passwords just for your service, and those passwords will join the others scribbled on the frame of their monitors.
  
  
• Don’t require any more characters than the security is worth: six characters minimum for most transactions, eight if heavy security is needed.
  
  
• Allow users to enter more than the minimum number of characters.
  
  You may feel you need only four characters, but my smallest memorized standard password is six characters long. Don't make me memorize a password that is actually less secure than one I would not have to memorize.
  
  
• Provide a link from the password screen to the change-password screen. It's amazingly difficult to find out where to change one's password at most sites.
  
  
• Allow people to store password hints for non-habitual-use services.
  
  On the page where you accept the hint, teach users how to construct them right with examples of hints that are secure ("The name of the cat next door when I was five") and hints that are insecure ("The name of the dog on 'Frazier'").
  
  
• Consider allowing people to store their passwords in cookies.
  
  Obviously, this is not a good strategy for critically private information, or even significantly private information in a public space, but it is certainly makes sense when users are attempting to open a newspaper or magazine to which they have subscribed.
  
  
• Allow people back in easily when you have timed them out. A simple dialog box requesting UserID and password is quite enough. Don't take them back to the entrance to the service and require them to rat-walk their way back through the labyrinth again.
  
  
• Don't expire passwords unless you really, really need to do so and your
  user population is really, really prepared to deal with it. Having passwords expire tends to force people into writing down their passwords and posting them in an obvious place, like on the edge of their monitors.

Password expiration makes sense when:

1. Your primary security risk is a break-in from outside the system.
2. That break-in is likely to go undetected.

If both those conditions are not true, expiring passwords doesn't make a lot of sense when balanced against the reality that people will be compelled to write the new password down and keep it near the system.

And don’t require weird initial passwords, either. One system I consulted on suffered a 40% failure rate because users were required to type in the word, “TREE,” followed by the user’s social security number with no punctuation, e. g., “TREE123456789”.

“TREE 123456789” (with a space between the word and the number) was rejected, as was “tree 123-45-6789” or any other vaguely familiar construction.

You might argue that it must have been a pretty stupid crowd if 40% of the people just flat gave up trying to get in, given they had been handed a paper with clear instructions. However, this particular crowd was, in fact, pretty clever: fully 80% of them were software engineers.

When you take something familiar, like a common word and a commonly-parsed number, and then require people to enter it in a rigid way that is completely counter to their entire life experience, you will see a major breakdown, no matter how clear the instructions.

Security people must work with people trained and talented in human factors to see that real security—and even privacy—are achieved. This partnership requires both sides to give, for the only way to achieve absolute ease of use is to eliminate security, and the only way to achieve absolute security is to lock everybody out. Follow these guidelines and you will achieve something approaching optimal security, and optimal security, in this insecure world, is the best for which we can possibly hope.

Finally, the words are "Log On," not "Logon." This bit of applied ignorance may win out in the end, but we don't have to help it along.

Oh, and those are not my real passwords. Sorry.