You know things are bad when you read a security survey that should be startling and uncomfortable and your reaction is a “so what else is new?” shrug. ‘Twas the reaction of quite a few security executives over the last few weeks, in the face of repeated surveys that the passwords consumers and retail employees choose are obvious and either written down or repeated ad nauseam.
The latest came Tuesday (Feb. 2) when Trusteer reported survey results claiming that “73 percent of bank customers use their online account password to access other websites, and that 47 percent use both their online banking user ID and password to login elsewhere on the Internet.”
None of this surprises anyone in the business because it’s well known that the weakest link in security is the employee and the consumer, who happen to be the people that generally care the least about it. And the periodic efforts to force better security at that level invariably fail, sometimes because of the effort itself.
For example, a company can automate rules for choosing passwords and require that they be changed periodically. But the stronger the password, the more it will fuel its own failure. Let’s say it requires that passwords be at least 11 characters, includes numerals and characters and non-traditional characters (&%|@#~, etc.). Add on top of that a rule that no characters or numbers can be repeated and that each password must pass a dictionary search. Sure, you’ll get a strong password out of it, but you’ll also almost guarantee that it will be written near the laptop in plain sight as well as typed into a desktop file in clear text. As Newton’s IT director said, “To every password action, there is an equal and opposite stupid user reaction.”
Security efforts are getting more complex, with mobile and even audio implications. And even if you succeed at forcing people to memorize these relatively secure passwords, there’s virtually no way to get them to not use the same password for a dozen sites. The only way would be some sort of a central database of passwords that would look for overlap, but no such system exists now. For security reasons, that’s probably a very good thing.
Perhaps you’re worried that a user will memorize the perfect approved password, log in and then go to lunch, leaving the fully armed warhead open to anyone who walks by? So you put in a program that will force the system to log off after 5 minutes of inactivity. Users now bitterly complain because it’s logging them out in the middle of conference calls, forcing an unacceptable delay. The 5 minutes is then made into 15 minutes and then 30 minutes. So the bad guys know that they have a generous half-hour of freedom to pilfer away. For that matter, even five minutes is enough as long as the employee’s cyber thief neighbor knows that it’s five minutes.
Something you have and something you know? The popular one-time password devices are brilliant, but they can still be foiled by individual sloppiness. If the password is seen or overheard, then it’s simply a matter of stealing the device and consumers and employees tend to not protect them well at all.
Managing security programs is similar to being a parent of a small child. You can impose rules, offer advice and put in place mechanisms to enforce your policies, but a child who is intent on being reckless and getting hurt will eventually find a way to do it. The more rules and requirements are imposed, the more consumers and employees will find a way to run out into the street or swallow glass.
The trick is in actually convincing employees and consumers that maintaining strong security is in their personal interest. For employees, focus on the amount of work they’d personally have to do and how it could impact bonuses, commissions and other non-salary compensation. Talk about the post-event probe and that employees found to have violated company policies could get fired—at which point, the salaried compensation comes into play.
If employees insist on capturing their passwords—which is inevitable—provide a secure way for them to do so. Perhaps set up an encrypted file on their laptops or PDAs, a file that is unlocked with a single memorized master password. That way, they have multiple secure passwords, but the employee only has to memorize one. Suggest easily memorized—but hard to guess—password techniques, as memorized “plus 4″ or “minus 4″ and then using already memorized, such as an important first date calendar date or a childhood zip code or the phone number of a friend. If the friend’s phone is 5551234 and the memorized code is “plus 4,” it might go in the system as 9995678. That could either be encrypted or written out in the open with that friend’s pet name, as in Babs code.
It’s not hard, but it requires a creative focus on the weakest link.
Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.