X Close

Events

Home

UCL events news and reviews

Menu

Elegy for a password

By uclektm, on 31 March 2014

We were gathered there on 25 March to commemorate “the end of an era in research” – the death of the password.

Professor M. Angela Sasse ably led the service (disguised as a Lunch Hour Lecture), the tone of which was sombre if not exactly mournful. Everybody seemed to agree that it was the password’s time to go.

For me, her lecture was an interesting lesson on the intersections between technology and human fallibility, and in particular, how the development of the former can outpace the latter.

This is particularly true of computer authentication systems, which most of us use in the form of passwords; the jumble of letters, numbers and symbols of a designated length needed before you can check emails.

A perennial problem
But how did Professor Sasse come to be ringing their death knell in the Darwin LT that day?

Before moving into computer science, her background was originally in occupational psychology. Her research now is an interdisciplinary consideration of the tensions between user friendliness and security in passwords.

Specifically, an extended attempt to answer a question she was once asked by a telecommunications company early in her career: “Why can’t stupid users remember their passwords?”

And the answer is: because we’re not computers. Professor Sasse explained that, basically, password systems have evolved to require things of people that we are simply not able to do.

We cannot hold more than two or three passwords in our minds that meet all the requirements for strong security: passwords that are lengthy and formed of unique combinations of numbers, letters and symbols.

Systems that expire passwords at regular intervals only increase the pressure on our memory. And if impossible demands continue to be made, people will stop meeting them.

They will develop ‘workarounds’, a useful enough noun that does a little bit of verbing as a term for methods that bypass system limitations.

And the workarounds people use won’t be complex, either. They’ll write passwords on whiteboards, tell them to friends and find the easiest combinations to type within a particular set of requirements.

Professor Sasse shared photographic evidence of a workaround in practice: a shot of a newsroom in a television news programme.

On the whiteboard, in plain view, was the username and password for their weather system – “weatherservices: Winter14”.

The price of entry
Passwords are also a problem in business because of the time and effort that it takes for employees to manage them.

On average, an employee spends three weeks per year logging in, logging out and changing expired passwords.

Users’ frustration with passwords can also impact productivity in larger ways.

People may choose to avoid certain systems altogether, and while that might benefit them personally, it can reduce overall organisational efficiency if the system provides an essential service.

Further, companies may be resistant to technological innovation if its implementation would mean more changes to a security system that is already hard to administrate.

How can a system be cost effective, usable and safe?

New innovations in password technology have been difficult to achieve, partly because the human propensity for finding workarounds develops so quickly and consistently.

How about doing away with alphanumerics altogether? Take a system that asks people to draw a picture instead of typing a password, for example.

Rapidly, and without collusion, people work out the four or five easiest shapes to draw, leading to dangerously low variation between active passwords and poor security as a result.

What about asking users to identify faces – a “passface”? Surely memory works most intuitively when we’re asked to remember faces!

But again, users quickly congregate on the easiest faces to remember, due to all kinds of problematic gender, race and “beauty” biases.

Alas, we do not live in a world where one forgets their Facebook passface.

For you, by you
An area of ongoing development is biometrics, systems that authenticate people based on their characteristics or traits, either physical (an iris scan at Heathrow) or habitual (speech pattern or handwriting recognition).

Biometrics will likely play a key role in the technology of the future, but the ideal password system would combine different methods, adapted to the user’ goals in using particular process.

Professor Sasse thinks that we need to move from explicit to implicit authentication systems that integrate with the function of the product.

These systems would work to invite the ‘true’ user in rather than block the general population out.

To illustrate this idea, she gave the example of high-end cars that use what is essentially “butt recognition” in their seats instead of an immobiliser: a combination of geo-location and biometrics.

Based on how the driver fits in the seat, the car can identify who they are and adjust the seat, wheel and mirror settings according to their preferences.

This security is secure but functional – low effort, but secure, Professor Sasse’s gold standard in authentication.

But what if developers continue to ignore the importance of usability in their systems?

If possible, Professor Sasse advises us to ‘work around’ them by not using them at all – a reliable way of forcing the creation of better, friendlier technology.

You can watch Professor Sasse’s lecture here:

Leave a Reply