Talking Usability: There’s No Such Thing as a User-Friendly Password

By David Dick, Fellow

Passwords are required for all types of online activity to authenticate the user.  One thing is certain: until technology provides a better solution to passwords, we must learn to create strong passwords and remember them in order to safeguard our personal data from hackers.

There are ways to circumvent the effort to remember passwords by checking the box labeled “Remember Me.”  “Remember Me” works well for mobile devices because the keys on the keyboard are often too small to enter a complex password.  Just remember to create a security code in case the mobile phone is stolen to prevent thieves from accessing the data. Come to think of it—many people do not use security codes for their mobile devices because it’s another number to remember.

Although there is an international standard for the definition of product usability (ISO 9241) there is no corresponding standard definition for password usability. In “Users are not the enemy,” Adams and Sasse identify three usability characteristics that users desire of passwords: easy to remember, able to be used across multiple systems, and rarely change.  You will learn why these desired characteristics do not contribute to creating and managing strong passwords.

If you have ever forgotten a password and created a new one, you have seen these four guidelines:

  1. Use at least eight characters; a combination of numbers and letters is best.
  2. Do not use the same password you have used with us previously.
  3. Do not use dictionary words, your name, e-mail address, mobile phone number or other personal information that can be easily obtained.
  4. Do not use the same password for multiple online accounts.

If you are like me—you ignored the guidelines and created an easy to remember password. But do you know why these guidelines are important and why you need to adhere to them?

Use at least eight characters; a combination of numbers and letters is best. Most fields for passwords are not a fixed eight-character length. Nevertheless, we create eight character passwords because they are easier to remember. Unfortunately, the eight-character password is less secure than a password containing 16 or 24 alpha numeric characters with dashes and special characters.  The password “love1234” is less strong, but easy to remember.  A password that uses letters from a phrase such as “I’ll see you at the STC Summit, May 2017” written as “ilL-cu-@-stc-SumiT-05/2017” is not only easy to remember but also a strong password.

Do not use the same password you have used with us previously. If the website was successfully hacked before, there is a strong probability that the hackers will use the same passwords to hack the website again. Thankfully, most websites prevent users from reusing a password when requesting a new password. If you successfully circumvented the validation of the password by adding a number at the end of the password, the next guideline becomes important.

Do not use dictionary words, your name, e-mail address, mobile phone number or other personal information can be easily obtained. One of the methods hackers use to gain access to users’ data is to use a “Dictionary Attack”, which is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.  Ironically, many websites allow users to use names, e-mail address, mobile phone numbers, and other personal information for User Names.  If developers implement a method to measure the strength of a password, allow users to select a system-generated password, and define rules to check for dictionary words, e-mail addresses, or phone numbers, then the password is one step closer to being “hacker proof”.

Do not use the same password for multiple online accounts. We are likely to use the same password because we don't want to burden ourselves with remembering too many passwords.  Hackers attack multiple online accounts reusing user credentials (user name and password) in hopes of getting a match.  If we use the same password for multiple online accounts we help the hackers and put ourselves at risk of having our data stolen.  Even worse, our account could be held for ransom until we pay a fee to release it.

Online retailers make the registration process simple by allowing easy-to-remember passwords and security questions so as not to frustrate users; however, ease of recall comes at a risk.  Strong passwords can slow or often defeat the various attack methods of compromising a computer’s security. Until technology provides a better substitute for passwords, the need for strong passwords is not going away and neither is the pursuit for user-friendly passwords. Maybe an amendment to ISO 9241 is necessary to create a standard definition for password usability.

References

Griffith, Eric. Password Protection: How to Create Strong Passwords, PC Magazine, November 29, 2011

Adams, and M. A. Sasse, “Users are not the enemy,” Communications of the ACM, vol. 42, no. 12 (December 1999), pp 40-46. http://dx.doi.org/10.1145/322796.322806.

Leave a Reply