“People aren’t machines. People don’t have perfect recall.”: Why it’s time to get realistic about passwords and people

“People aren’t machines. People don’t have perfect recall.”: Why it’s time to get realistic about passwords and people

Sometimes the art that we create tells us more about who we really are than all of the academic, journalistic, and educational materials that purport to describe real life. When fifteen year old video games do a better job of explaining our day-to-day corporate security challenges, it’s an indictment on our ability as security professionals to solve people’s problems.  

You’ve probably heard the phrase “art imitates life.” That idea came up during a lazy family evening last month when my oldest noticed a classic video was on sale in the Sony PlayStation store: Id Software’s beloved Doom 3 from 2004. My kid quipped “Only $4.99? I’d be a fool to not buy it!” So he did. He played through it an hour or two at a time in his evenings after work. Money well spent in two regards: first, he had a blast playing a retro title, and second, because it reinforced a valuable lesson regarding practical cybersecurity.  

Am I serious? Absolutely!  

First, a quick aside: if you’ve never played any of the titles in the Doom franchise, their premise is simple enough that I can’t explain it any better than the Wikipedia summary: “Doom 3 is set on Mars in 2145, where a military-industrial conglomerate has set up a scientific research facility into fields such as teleportation, biological research, and advanced weapons design. The teleportation experiments inadvertently open a gateway to Hell, resulting in a catastrophic invasion of the Mars base by demons. The player character, Doomguy, an anonymous space marine, must fight through the base to stop the demons attacking Mars and reaching Earth. 

If that premise sounds implausible, well … sure. It’s a video game. The writers have to have the game’s monsters come from somewhere. Besides, a “gateway to Hell” beats the tired “generic alien invasion” or “foreign terrorists want to destroy America” tropes common to more modern game franchises

I suspect that game designers love making their villains generic “terrorists” because the international visual shorthand of a figure in a dark hoodie or ski mask means that the artists have a lot less detail to draw, thereby cutting the cost of developing visually-interesting monsters

Anyway, Doom 3’s story starts with the “Doomguy” arriving on his new duty station. He passes through several admin offices, meets people, gets issued equipment, etc., before the disaster begins. All of these mundane encounters are meant to acclimate the player to the Mars base environment. There are offices with people working diligently at computers and processing paperwork just like you’d expect from a modern military installation. As the game progresses, the player has to fight their way back to the HQ building through labs, garages, warehouses, etc., all the while exploring places where other humans had been dutifully working. If the player is inquisitive, they can read unlocked PCs, search through debris, read personal notes, and find other ways to learn about the backstory of the base, the evil corporation’s research, steal lost ID cards, and find people’s recorded passwords to computers, lockers, vaults, and airlocks.  

Yep Even in 2145, people are expected to still be writing their passwords down so that they don’t forget them. I find that this is the most realistic part of the game, and I adore it for what it says about us. A century hence, security people are still going to be complaining about why their users can’t remember hundreds of unique, ever-changing strings of nonsense characters.  

Silly as it seems, this is a real problem in contemporary business. The security awareness community has to address it directly, without any of the utopian “perfectly rational human” models taught in security certification study guides and business schools. First, the requirement for completely unique passwords and PINs is daunting when a user has dozens of accounts to manage. Second, the demand that passwords be reset every 30, 60, or 90 days compounds the problem to the breaking point. Lastly, the requirement that people memorize all of these strings is utterly unrealistic. People aren’t machines. People don’t have perfect recall. People are busy enough trying to live their lives; they don’t need this burden imposed on them.  

That’s why companies all need to be incorporating password manager applications into their enterprise architecture plans, while individuals incorporate them into their everyday lives. If you’re not familiar, a password manager is simply an application with an encrypted database that creates and/or stores randomized, highly-complex passwords for all of its owner’s accounts. The best versions allow a user to keep a version of the app (and its database) on their mobile phone, their personal PC, their tablet, etc. This allows the user to ensure that they never have to remember a 24-digit string of gibberish for an online shopping account that they haven’t accessed in three years. It’s a lifesaver for one person … and a network saver for a company. 

Remember: the ideal operations tempo for a Security Operations Centre is zero. If all of your enterprise security controls are deployed and working as-intended, there should be no breaches for the SOC analysts to respond to. It isn’t going to happen, but it’s what we’d all love to achieve someday.  

Smart organisations will not only fund password manager applications as part of their standard suite of information system credential defence controls, they’ll also allow their users to use the company-provided application both at home and at work. This helps the user protect themselves 24/7, no matter where they are or what they’re working on.  

Savvy organisations will take this a step further and transfer the application license directly to the employee rather than demand that it be returned upon departure. Think of it like a company-branded coffee mug … Most companies don’t demand those back when an employee resigns. Password manager applications should be treated the same way: gift it to the employee as a perquisite of joining, make its use mandatory, then deprovision their company credentials when the user leaves without nullifying their personal continued use of the tool. This will greatly increase people’s enthusiasm for using the tool, since they know that their time spent with it won’t be wasted.  

The alternative is to keep trudging along with the current system: demand that people achieve a superhuman performance standard, then get irate with them when they take obvious, practical measures to meet the desired standard (e.g., hundreds of unique and ever-changing passwords) while compensating for the inherent flaws in human memory (i.e., write all your credential sets down where they can be discovered, stolen, copied, lost or destroyed).  

Art imitates life. If anything is going to doom our essential security controls, it’s continuing to employ mandatory controls that history has proven are ineffective and counterproductive. That’s true today; it’ll still be true in 2145.  

Copyright Lyonsdown Limited 2021

Top Articles

Clubhouse data leak: Data of 1.3m users dumped on a hacker forum

An SQL database containing records of 1.3 million Clubhouse users has been leaked for free on a popular hacker forum.

Iran terms Israeli cyber attack on nuke facility as "nuclear terrorism"

A rumoured cyber attack carried out by Mossad, Israel's official spy agency, destroyed legacy IR-1 centrifuges at Iran's underground nuclear facility located in Natanz.

The Hunt for Red Insider

The analogy to The Hunt For Red October is not far removed from the common reality of cybersecurity.

Related Articles