In 2009, Marsha and Michael Shames-Yeakel, sued Citizen’s Bank in the United States for the loss of $26,500 as a result of a successful phishing fraud instance against their home equity line of credit. The plaintiff’s position, successfully argued, was that Citizen’s Bank did not adequately protect them because they did not implement the FFIEC guidelines as to the use of two-factor security or authentication (2FA) for Internet banking access. The successful case has significant implications in the United States, where the majority of banks are still to implement 2FA. In the EU region, two-factor has been common for sometime and is a legislated requirement for both Internet Banking and SEPA. However, we’re becoming increasingly aware of the weakness of basic security built up around passwords or PINs. While 2FA is a good solution right now, clearly the chink in the armor is the password mechanism itself. I thought I’d share some research and thoughts on this that are great principles when you’re looking at digital security in the user experience.
Common passwords are a big security risk
Joseph Bonneau, Sören Preibusch and Ross Anderson analysed 32 million passwords stolen from the RockYou social gaming Web site in 2009 and 200,000 iPhone unlock codes before carrying out an online survey of more than 1100 people for what they claim is the first quantitative analysis of the difficulty of guessing four-digit banking PINs chosen by the cardholder. They found that thieves can expect to crack 1 in 11 stolen cards due to the common reuse of classics like 1111 and 1234.
Splashdata likewise analysed millions of passwords used in eCommerce and Internet Banking fraud, and found the most common passwords are also the most readily used to execute fraud. SplashData created the rankings of ‘worst passwords for 2011′ based on millions of stolen passwords posted online by hackers. Here is the complete list:
- password
- 123456
- 12345678
- qwerty
- abc123
- monkey
- 1234567
- letmein
- trustno1
- dragon
- baseball
- 111111
- iloveyou
- master
- sunshine
- ashley
- bailey
- passw0rd (’0′ zero used instead of ‘O’)
- shadow
- 123123
- 654321
- superman
- qazwsx
- michael
- football
So one might conclude by this that issuing a more complex PIN, forcing customers to cycle passwords, or choose passwords with say one capital letter, and a mix of alpha-numeric passwords might make Internet Banking safer, and more secure. But actually you’d be wrong. There’s a false economy there.
Longitudinal analysis of password behavior
Between 2004-2006 Peter Brooks and Michael Armstrong at HSBC eCD (e-Channel Department as it was then known), along with myself and David Jacques, embarked on a series of usability tests looking at password interaction and memory load. We tested multiple password mechanisms in a champion/challenger environment using retail banking consumers, we filmed these encounters, and we also used HSBC call centre staff to test the impact of these various mechansims over a period of 6-8 weeks to see what role memory played in security interactions.
What we found out is essential learning for anyone working on digital channels these days trying to improve security. There were many interesting findings, but here are four that I’d like to share:
Two-Passwords and the Memory Load Problem
We tested the use of a normal User ID & Password combination, but then added in a second password. In this instance we tried calling it a secret word, a verification word and a second password. Users frequently got the two passwords confused, not sure which order to put them in. Secondly, the additional memory load meant that around 30% of the customers wrote down or stored their second password in a plain text file, so they could access it later if they forgot it.
At the time we asked the Usability Guru Don Norman for his input into what we were observing and he gave us a classic quote that is so applicable to this debate on password security:
“The more secure you try to make a system, the less secure it is likely to become” – Don Norman, NielsenNorman Group
We saw over and over again that when you made it hard to remember a password, people would find workarounds. Post it notes on their monitor, plain text files stored on the desktop, a memo note on their smartphone. The harder it was to remember, the more people resorted to the least secure mechanisms to recall the password. This played into our second use case also.
When you increase memory load, people use workarounds which reduce security
The random letter selector
In the tests we had users test a password mechanism I’ve seen in use occasionally which involves asking users to select the 2rd, 5th and 7th character of their password. The idea behind this is from security experts that say that if someone is using sniffers or keystroke logging tools that this avoids them learning the entire password at any one time. However, this again created memory load issues. To figure out random letters within their password, how did users react or adapt?
“If you ask me for the 3rd or 5th character in my password or if I had to break it into chunks, I’m probably going to have to write it down” – HSBC customer during a usability test
Again memory load presented it’s ugly head. By increasing the workload to remember or break up a password into chunks, the customer commonly wrote down or typed the password into a plain text file on the screen again. Once again, by attempting to make the system more secure, we were actually introducing workarounds that dramatically decreased security.
Online Password Reset (OLPR) Questions
This mechanism is still in use today by many banks and social media networks, etc. That is, if you forget your password you’ve had to answer some questions that only you are supposed to know the answer to. Things like what is your Mother’s maiden name, what was the name of your first pet, your first school, which city were you born in, what’s your favorite movie?
In longitudinal testing over a 2-6 week period, we found more than a 50% failure rate in this methodology. There were two reasons for this. The first that was many of the questions such as favorite movie, favorite book, etc were very subjective and the answers to that question changed week to week. The second problem was inconsistent use of the ‘answer’ – for questions like your Mother’s maiden name, people got case sensitivity wrong; for first school they sometimes put the word ‘school’ at the end of the school name, other times didn’t; for the city they were born in, it sometimes changed from a local suburb or borough, to the main city closest to where they were born, etc.
'Secret' questions for recalling your forgotten password, have massive failure rates above 50%
The OLPR method proved to be a massive headache creating more customer support and service calls than it saved. The reason we were using OLPR was to stop people having to call the call centre to reset their password, but in fact, OLPR actually resulted in a significant next increase in call centre calls.
Onscreen keyboards and tokens
We tested mechanisms like on-screen keyboards, one-time use tokens or password generators and other such mechanisms. Of these, the token was the only reliable method that consistently was able to be introduced into the standard user id/password system without creating workarounds that actually reduced either the user experience or actual security due to work arounds.
Hence, HSBC was one of the first global banks to introduce one-time password tokens from Vasco back in 2004. Two months after the introduction of tokens phishing fraud had dropped through the floor, and the initial call centre spike for support had returned to normal.
Conclusions
Clearly we’re entering an era (or should it be error) where the simple password and user id combination is no longer secure or robust enough to cope with the myriad of access points we’re using digitally. Increasingly memory load by forcing specific password types, playing with chunks or individual digits within a ‘word’, or adding in additional security words or passwords, is a costly mistake in the user experience as it invariably increases support costs, and reduces actual security due to work arounds.
In this light, the short-term viable solutions are still two-factor authentication. However, longer term, biometrics (voice, facial or fingerprint recognition) that replace passwords is the ultimate solution.
Whenever you ask people to remember a password to access a system, you are inviting risk. Like cash, cheques and branches – passwords are not long for this world.
Excelent material. I am an IT Auditor. Perfect for my job. Thanks.
I think it’s more that you need to hammer it in to peoples’ heads that long, remembered passwords are IMPORTANT. Very few people are not able to remember a sequence of characters and symbols that’s around 25 long. The alphabet is 26.
Bloodshot,
You’re right, except there’s a cumulative memory load effect with longer passwords too. It’s not about one password that’s long. The more passwords you have to remember, or the longer they are (in a group of passwords you have to remember), the same ‘workaround’ mentality ends up coming into play, or users choose a few common passwords that they cycle – again both result in lower security over time.
BK
Great article.
However, you are missing the cost of password management (see http://www.mandylionlabs.com/PRCCalc/PRCCalc.htm). Another aspect is the existing cost of 2FA tokens in the marketplace, notwithstanding the fact users lose their tokens or they are useful for only one or two access points.
Our company has developed a 2FA for smartphones and tablets. Millions of users in SMBs and Enterprise already have smartphones for mobile email and cellular services. A natural progression is its use as a 2 Factor Authentication devioe. Our LoginTC app install in iOS, BlackBerry or Android platforms, it supports multiple credentials, it’s tamper proof, and the user experience is the best in the industry. The LoginTC credential is ideal for online banking, cloud apps, portals, and secure websites.
The user doesn’t need a password. The LoginTC credential is protected by a PIN (similar to ATM PIN) and to avoid fraud or stolen devices, the credential is rendered inoperable after multiple attempts to enter the PIN.
The price per user is under $6 a year and the app is free to download from the App World, the App Store, and the Android and Amazon Marketplaces. This is the future of online access.