Solving Security Fatigue: Four Ways to Improve Password Use
Passwords are no longer enough to adequately secure a system. Here's what your enterprise needs to do to improve security without antagonizing users.
- By Brian J. Dooley
- December 6, 2016
People are getting tired of security measures. According to a recent report by the National Institute of Standards and Technology (NIST), security fatigue is a growing phenomenon that may cause users to dismiss the importance of security altogether.
On average, users access about 20 secured sites regularly. Security fatigue is created by unexpected and unusual demands for passwords that include specifications that are difficult to meet and difficult to remember. Users give up, feeling that fulfilling these requirements gets in the way of the access they require.
For businesses and individuals alike, there is a trade-off between ease of access and security. You need to be able to enter multiple sites or tools simply and quickly, but it is extremely important to guard your identity and ensure that no one can gain access to your information or your accounts.
Here are four suggestions for how you and your enterprise can better secure your systems while avoiding security fatigue.
1. Use a Multiple-Factor Password System
Shaun Murphy is the CEO of security communications startup SNDR. He has been employed in the communications and security sector for the past 25 years. SNDR focuses on highlighting privacy and security issues, tech solutions, user education, and solving issues in communications security.
According to Murphy, the biggest risk with password security is in the nature of the password itself. "A password is something shared between you and an app; it lets you prove that you are who you say you are. If someone discovers your userid and password, they can pretend to be you. This is a fundamental flaw. Security systems will provide various tests for passwords, but people's behavior will not change. Bad habits in password use will always put you at risk."
The problem is that a password alone doesn't guarantee that you are who you say you are. It is very easy to discover passwords or infer them from other information. To prevent this, most security systems today are moving toward multiple-factor systems.
He explains that with a two-factor password system, instead of just entering a password, the application will ask for a second code which may be generated by the app itself and emailed to you. You know the password and you have something assigned to you as well. If someone else only knows your password, they cannot log into the system. "When two-factor systems are offered, it is important that people actually turn on the second factor," Murphy cautions.
Remembering or creating multiple passwords wouldn't solve security fatigue, which is why multifactor authentication systems are often based on a password and an additional factor. The three basic types of authentication factors are:
- What you know: A thing that you know (such as a password or a secret)
- What you have: Something that you physically have in hand, such as a mobile phone
- What you are: A physical characteristic or biological marker such as your fingerprint or voiceprint
A recent study by TeleSign, a mobile identity solutions provider, found that 69 percent of security professionals believe usernames and passwords alone no longer provide sufficient security, and 72 percent predicted that passwords would be phased out within nine years.
According to Ryan Disraeli, cofounder of TeleSign, "The vast majority of security professionals no longer trust the password to do its job. Thankfully, most companies aren't resigning themselves or their users to password-only account security. They are implementing two-factor authentication in droves and newer technologies such as behavioral biometrics are emerging to address many of the concerns developers have around adding new tech to their applications."
2. Classify Your Site Access
When you are asked to create a new password, it can help to segregate your access into at least three tiers.
"In a three-tier system, first create a top security classification for financial sites and sites handling personally identifiable information," says Murphy. "For these sites you need to use an extremely secure password with two-factor identification. For this limited number of sites, complex passwords are not too difficult to remember.
"At the second level, any communications product should also be strongly secured -- but not quite at the level of the first tier.
"The bottom tier is made up of miscellaneous sites that are neither financial nor communications. Here, you can have your modern browser remember the password and even create a unique password for you. If your password is compromised, it will be unique and won't cascade into other services."
The chief problem with browser- or system-based automatic password systems is use of the sites with multiple devices. You may not know the password that is in use, so access may be disabled if devices are not synchronized.
3. Create Secure and Memorable Passwords
It's unlikely that the need to create passwords will go away, even with password vault software, single sign-on, biometrics, and automatic password generation. There are always cases where there are too many devices, where there are several operating systems, or where connectivity is lacking. Knowing how to create a password that can both be remembered and provide a high degree of security is a useful art that makes it a little bit easier to avoid security fatigue.
- Use a multiple word solution. A small phrase that combines characters and numbers can create a highly secure password which is easily remembered and is not easily subject to attack. A phrase such as My7walrustoes is easy to remember, provides graphic hints that aid memory, and is very secure.
- Create a template that assigns variable items in a mechanized way. This can help with maintaining different passwords for multiple sites while still being secure and memorable. You can, for example, use the first three letters of the domain, followed by the first two letters of a hobby and the day of the month your grandmother was born. For example, BjdGui27.
- Use a "book code," where the password contains a page and paragraph reference, perhaps also the first word to a familiar passage in a known book. One clever variation is to create a password based on a biblical passage with a mixed character uppercase lowercase reference: CorinthLove13:4-7.
Any repeatable system that provides a secure password will do. Remember, the worst approach of all is to have no system and use the same password over and over.
4. Create a Corporate Solution
Security is increasingly critical, and passwords are an important tool that will be with us in some form -- at least for the immediate future. Vigilance is crucial at all times. Understanding that passwords are valuable and must never be repeated across the Web is the most important lesson. Second, always try to use a multiple-factor solution, which removes the password from most common intrusion mechanisms. The hacker would need to know, counterfeit, or obtain the additional security item such as the mobile phone or the biological marker.
The NIST study recommended three ways to ease security fatigue:
- Limit the number of security decisions users need to make
- Make it simple for users to choose the right security action
- Design for consistent decision making wherever possible
According to Murphy, "There is a balance that companies need to keep in mind. Passwords need to be strong within reason and accessibility needs to be within reason. It is important to encourage users to come up with good passwords, but it is also important to avoid being overbearing and causing people to write passwords down.
"Businesses really need to both take a technological step forward and educate their employees. A five-minute email about security made a part of every new employee orientation is a good start. Train your employees, and benefit the company, but benefit the users, too."
Brian J. Dooley is an author, analyst, and journalist with more than 30 years' experience in analyzing and writing about trends in IT. He has written six books, numerous user manuals, hundreds of reports, and more than 1,000 magazine features. You can contact the author at firstname.lastname@example.org.