November 30, 2008

BCTIA Tech Experts
Written By Vaclav Vincalek

The human factor can make secure identity management for individuals and organizations a very tough challenge.

There’s a classic scene in the popular TV sitcom Seinfeld where Kramer tries to figure out George’s secret password. Through a process of deduction, Kramer starts getting very close to the secret word (“Bosco”, a chocolate sauce George likes to pour on his cereal). “Ovaltine! Hersheys! Nesquick!” Kramer shouts, as George flees from the apartment.

Kramer probably should have just offered George some candy for the password and saved himself the trouble. I was reminded recently of a survey reported in the BBC that showed more than 70 per cent of people would reveal their computer passwords in exchange for a bar of chocolate. Over a third of respondents didn’t require any kind of inducement and happily blurted out their password, no strings attached. And nearly four-fifths of the population would volunteer significant clues to their passwords in casual conversation.

And even if you are the type of person who is vigilant enough not to give away your password for a Hershey bar, remembering passwords is tough. Just looking at the average computer user using passwords to access email, blogs, newswire subscriptions and social media applications like Facebook and MySpace, remembering passwords can start to get awfully frustrating. And we haven’t even gotten to the office, where you may need numerous passwords, including odd spelling, numbers and symbols, just to use all of your work applications.

So, it's too easy to give away passwords and it's too hard to remember them. But there may be a solution that can deal with both of these problems.

Humans are natural at pattern recognition. We remember pictures better than words, and much better than nonsense words containing odd punctuation marks and numbers. Instead of typing in passwords, we could just choose pictures.

Imagine a series of four screens showing pictures on different themes -- let's say, mountains, buildings, animals and fruit. On each screen, you select the picture that you like the best from fifty or so examples (eg. the craggy mountain with the orange moon behind it and pine trees at the base). Four screens later, you've got a password that you will always remember. Not only that; it would be extremely difficult to casually give away your password, since there would be far too many variables to describe except in a very long and involved conversation.

Until image-based password management becomes the default standard, many individuals will unfortunately continue to write down their passwords on sticky notes they put on their monitors – a definite no-no when it comes to security. Some will have figured out a system that works for them for remembering their passwords consistently across any number of applications and platforms.

And some larger organizations will recognize that leaving password management up to individual staff, until image-based passwords or some other solution comes along, is just asking for security breaches; these organizations will hopefully adopt an enterprise-class identity management solution that works for them.

Vaclav Vincalek is the founder and president of Pacific Coast Information Systems Ltd, a leading provider of technology solutions, and its new products division, Boonbox. He is an expert media consultant and speaker on issues related to IT business management, identity management, web security, and data storage. He is also the senior correspondent for the Pacific Coast Informer, authors a blog about technology solutions and is a contributing writer and columnist in publications dealing with the technology industry.

Vaclav can be reached at Pacific Coast Information Systems Ltd./ Boonbox at info@pcis.com Reprinted with permission.