When we design a secure system, the login functionality will be the obvious first place that will pop in into your mind. For example, if your system has a login page with a username and a password. In the user registration process, we do think a lot about the user who would break into the system and forget the user who would be creating the account. Well, this is not something done intentionally but it will happen eventually.
If you don’t agree with me, let’s go through the set of password rules which we see in modern systems.
- At least 6 characters — the more characters, the better
- A mixture of both uppercase and lowercase letters
- A mixture of letters and numbers
- Inclusion of at least one special character, e.g., ! @ # ? ]
- Do not use a sequential pattern in numbers (1234)
- Change the password every 3 days
- When you change the password do not use the previously used passwords
The list will go on and on. But the problem is, with this set of rules what will happen to the usability of the system? Do you think users understand and value your efforts behind keeping their accounts secure? Well, these memes explain it a lot.
So it’s clear, no one seems to enjoy their password creation process and that will create the biggest security threat as the usability of your system (in terms of password generation) is really low. In other words, the system has a higher risk of failure as it does not support usable security.
Usable Security
Although this is a broad topic. We can summarise it as it’s the designing of secure systems taking the human cognitive abilities into account. In other words, giving priority for usability in terms of speed, efficacy, memorability, learnability, and user preference while designing a secure system will help you to design a system that is more secure and usable.
Let’s take a system that asks the user to generate a password with the above guidelines.
First of all, let’s dive a bit into the concept of implementing those guidelines. Let’s check some of the passwords and their security level. (Bellow data is research data which is extracted from a course from the University of Maryland which I did recently)
As you can see, with a brute-force attack a password with 6 random characters with mixed case, symbols and numbers will take more than 200 years to break. So it’s clear why we consider these types of passwords to be more secure.
But, that’s not all. Close your eyes for 10 seconds and try to recall those passwords. If you are a human with average cognitive abilities, you will remember orange and woosaa. All the other passwords will leave a grey area. So the question is, what’s the use of a complex password that takes 200 years to break if the user can’t remember it?
In the 21st century, we are connected to so many applications and all the applications do force us to create and remember passwords with 6 random characters with mixed cases, symbols and numbers. And this is not something a user would enjoy. So, eventually, they will try to find a workaround that makes their lives easy. It may include
- Writing down the password
- Using the First name, Birth year as a part of the password (Steve-1988)
- Using NIC, Mobile numbers as passwords
- Using the same password at multiple applications
In all those cases even though the system detects the password as secure, it’s actually highly vulnerable to a human attack. If the attacker know your Name, Birthday, Telephone Number, etc. The attacker already knows a considerable chunk of the password.
Is there a Solution?
Let’s dive into some more stats,
This is interesting, isn’t it? A password with three common words with all simple letters will take more than 2000 years to break. And if you take the two passwords “J4fS<2” and “this is fun” it’s obvious the most memorable password is “this is fun”.
Why don’t we use it?
Actually there is no clear reason. The reason I guess is, developers, think the complexity level of the password proportional to the security level of the password. But in reality, it’s the complete opposite.
That’s the main reason for me to write this article is also to make some awareness about the matter. So, don’t be afraid to change, Think of the security (usable security) at the design level. Then you will find a happy set of users who are not vulnerable to human, brute-force, or common word attacks.
Cheers !!