Passwords and Complexity - Part I

Chris Cassell, Technical Team

Category:

  • Security Blog

Life is pretty complicated so it's one of those ironies of existence that means that with the progress of technology, we have in some regards managed to make things much, much harder for ourselves. It's the wonderful world of security I‘m talking about, that word that makes most people roll their eyes and sigh despondently. Honestly? In the case of passwords I can totally understand it.

Your average person has between 7 up to 22 accounts. Think about it for a moment. One for your computer itself, one for your web e-mail, one for your phone, E-Banking, Facebook, twitter, Amazon, EBay, PayPal… The list goes on. We all have a whole ream of passwords that we have to remember to access the wonderful world of things that make life work nowadays.

Okay so what's the problem? You have say 20 accounts, so you have to remember 20 bits of information right? Well if you‘re in the average percentile of people you have a vocabulary of somewhere between 20,000 and 35,000 words! If you‘re an avid reader probably considerably more. If you can remember all those words how can it be so hard to remember 20 more pieces of information?

It all comes down to a process called Encoding and that tricky little devil the Hippocampus and it's quite literally mind games. Essentially our brain has, if you‘ll pardon the pun, a mind of it's own as to what it will remember. Everything gets placed in short term memory (RAM for your geeks) and we can work with that, you hear a password and you keep repeating it to yourself as you head for your desk, keeping it alive in your short term cache. You sit down and you can even type it and get in and work! Congratulations, you‘ve mastered something monkeys can do.

Play the game again, you get told a password, you head for your desk, someone asks you if you want a drink. You spend a moment deciding tea or coffee (if you are civilised it's always tea) you place your order you head to your desk and you sit there staring at a password prompt. It's gone. Maybe the monkeys are on the wrong side of the fence at the zoo eh?

The reason I keep mentioning our primate friends is that our brains aren‘t actually that different from theirs, we learn and we maintain information that's meaningful, that has a purpose to us. For them if it gets food, it's important. For us our version of useful is a lot broader but still matters.

When you walk to your desk remembering that 10 character randomly generated password, the reason you have to keep having to repeat it to yourself is because it's meaningless at that moment. Just a string of letters and numbers and special characters that, to our not far past monkey minds, don‘t have value. When you‘ve used a password for a while you‘ll start to remember it as it starts to have value as it means your e-mail, it means your access to kitty pictures on that site. It becomes muscle memory and you can likely type it automatically after a while. Cool eh?

Well. Nope. Not actually that cool, as in the future you need to make a new password when the old one expires and you do that… and you keep typing your old one. Because that old one is the one that means something. You have to go through the painful process of doing it all again. Re-associating the meaning from one load of junk characters to another load of junk characters.

Because you‘re using junk characters right? You‘re not using a word, a pet's name, a date of birth or just Passw0rd. Because they‘re really easy to guess and you might as well not have one!

Annoying isn‘t it! You can‘t use something you can easily remember as that's too easy to guess! But you can‘t remember the stupid password that looks like it's written in Klingon either! Because it's meaningless. So you write it down, or you just say to hell with it and make it something easy anyway because you‘re human and you need to do a task and that security is getting in the way.

Leave a comment




Comments (0)

Latest News

  • Cyber Best Practice and the CNI

    The importance of information sharing to support the development of cyber security best practice across the critical national infrastructure. ...Read more

    23/10/2017

  • Measured Boot & Measured Execution for Device Health

    Using Measured Boot & Measured Execution with Remote Attestation to measure Device Health with Paradox OS ...Read more

    23/10/2017

  • Debate Security

    The first Debate Security briefing took place on 26th February 2019 in Canary Wharf in London, bringing together senior executives across multiple industries to spark a cyber-risk discussion that compared and contrasted approaches between government and the private sector. ...Read more

    23/10/2017