For many years, the simple password has come to be seen as a cheap and convenient way of authenticating computer users. What’s not widely known is that basic problems exist with using passwords as security devices.
The Golden Rule, for example, is that passwords must be changed regularly, and should never be written down. However, they also need to be long and complicated enough that they are difficult for anyone else to guess. Although “man coffee girl dog flowers envelope” is a fairly good and long password, surely it’s impossible to remember unless you actually write it down?
A recent survey by online banking group Egg found that the most common technique users employ to help them remember passwords is to choose words that spring easily to mind (such as the names of their children, partner, favourite footballer or a film star). The survey also found that, once chosen, very few people change their password unless forced to do so.
The compilers of the survey results encountered a variety of excuses from users who admitted never having changed their passwords for many years. Probably the most bizarre response was from a woman who’d been using the name of her dog…
“Our much-loved pet had recently died. Changing the password would be disrespectful,” was her response.
Passwords are easy to ‘crack’
Traditional passwords suffer from another problem, too – namely that they can be ‘cracked’ by sophisticated programs available for download from the Internet (many of them free of charge!). A hacker who gains physical access to a network server, for example, can easily retrieve encrypted versions of every users’ password. By logging in to specialist hacker sites he or she can then download tools capable of cracking the encryption in just a couple of minutes (by trying literally millions of combinations every second).
With PDAs in particular there’s another reason why traditional passwords are a pain in the digits. With only a stylus and a small touchscreen rather than a full-size keyboard at their disposal, the temptation for users to pass up the opportunity of using password protection – or to choose one of the minimum length – is overwhelming.
With PDAs being so easy to steal or lose, leaving the office with an unprotected Assistant is like playing a game of Russian roulette with your company.
Are biometrics the answer?
Biometric technologies are often touted as the successor to password-based security. However, although hardware-based authentication such as fingerprint recognition adds another layer of security, and users certainly can’t forget or lose their fingerprint, the hardware is expensive to purchase and difficult to roll out in large volumes.
So if traditional passwords are this problematic and biometric alternatives impractical, could there be a middle ground somewhere? How might we reinvent the password into a form that’s easy to remember, and which can’t easily be written down even if the user wants to?
The key to being able to memorise and recall lists of items – or long passwords – is called mind-mapping. It’s a widely-used technique, much loved by those whose party trick is to memorise and recall a long list of words or a collection of items on – for example – a tray.
Mind-mapping involves constructing a logical path between the individual words or items by inventing a story or scenario in your mind. A complex pass-phrase such as “man coffee girl dog flowers envelope” is hard to remember, for example, unless you turn it into a story about a man who spills coffee on his girlfriend’s dog and apologises by sending her some flowers in an envelope. The more silly and surreal the story the better!
For the past year, then, it’s no surprise that users have jumped on the opportunity to use new picture technology for their PDAs. Like some other security products, this system encrypts the data on the machine so that hackers and thieves can’t read it. And, of course, it includes features such as automatic log-out if the machine is left idle.
What’s in a picture?
To keep things simple on the small screens that PDAs generally have, the aptly-named PicturePIN currently uses a repertoire of ten pictures from which you can choose when making up your story (sorry, password!). Soon, the technology will also be available for Windows on laptops and desktops, thereby allowing users to choose from a larger set of symbols as the screen size can accommodate that. A PicturePIN password is made up of between four and 13 symbols, and to enter it you just tap the correct symbols in order on the PDA screen (or click with a PC mouse).
Underneath the pretty pictures there’s a full-strength 128/256-bit encryption system based on the new Government-standard AES algorithm. This encrypts personal data stored in the machine. Decryption happens automatically on an as-required basis, assuming that the user logged in with a correct picture password.
If the PDA is left idle, the machine automatically enters a suspended state. For a few minutes after suspend mode has been entered the user can restore normal operation quickly by clicking just the first two pictures of his or her PicturePIN password.
Just in case the unthinkable happens and someone does forget their PicturePIN, a centralised administration function allows an administrator to securely re-set it over the telephone when the user calls the Help Desk.
With PicturePIN and mind-mapping, maybe – just maybe – the writing really is on the wall for the good old password. Though not, one hopes, on a small, sticky, yellow Post-It note.
