PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Mitigation of Password Predicament

Hitoshi Kokumai by Hitoshi Kokumai
August 21, 2017
in Industry Opinions
0
AI
5
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

 One of the latest hot topics is the reports of the latest NIST password guidelines that repealed what we have long been told to do – make the passwords most complicated and change them periodically.

 ( https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity )

It is nice to see repealed the odd recommendations like the complicated hard-to-recall passwords, which would result in reusing the same password across many accounts, and the regular password change, which would result in using the easiest-to-guess passwords.  It is not nice, however, to see ‘passphrase’ and ‘password manager’ being touted so naively. Caveats should come with these recommendations.

Passphrase: It could be longer and yet easier to remember but it does not necessarily mean a higher entropy despite the troubles of tiresome typing. It is generally made of known words that are just vulnerable to automated dictionary attacks.

The cartoon shown in the linked article reads that a 44-bit entropy is hard to guess.  It may be extremely hard for humans to guess, but it would be so easy a prey for criminals who possess the automated attack software with the intelligent dictionaries.

Password Manager:  It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked.  It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for the high-security business accounts that should desirably be protected by all different strong passwords unique to each account.

Then, what else can we do?  Can we expect biometrics to solve the problem?

Make sure not to mix up ‘Unique’ with ‘Secret’ and confuse ‘Identification’ with ‘Authentication’

Tech media seem busy arguing on which biometrics is better than the others. But it is all nonsense from security’s point of view.  All of them provide the level of security lower than a password-alone authentication in cyberspace. We should instead ask why security-lowering measures have been touted as security-enhancing solutions.

Whether dead or alive, conscious or unconscious, individuals could be identified by biometrics. It often leads people to take it for granted that a good identification of individuals makes a valid authentication of our identity.

Caveats!  It is not the case. Biometrics follows‘unique’  features of individuals’ bodies and behaviors.  It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this aspect.

Being ‘unique’ is different from being ‘secret’, however.  It would be a misuse of biometrics, which follows ‘unique (not secret) features’, if deployed for security of the identity authentication.  A user ID cannot displace the password.

Because of its inherent characteristics, biometrics depends on a fallback means in case of false rejection. In physical security, it could be handled by personnel in charge other than the user.  In cybersecurity, however, it needs to be handled by the user themselves, in most cases by way of a password that the user themselves needs to feed. This fact brings down the overall security to below that of a password-alone authentication.

Therefore, so long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication as illustrated in this video.

 ( https://youtu.be/wuhB5vxKYlg )

By the way, we cannot but wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about these facts

There could be various explanations – from agnotology, neuroscience, psychology, sociology, to behavioral economics and so on.  This phenomenon will perhaps be found to have provided an excitingly rich material for a number of scientists and researchers in those fields.

Anyway, as such, confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a terrible false sense of security.  The huge biometrics business had been made out of a fallacy.

Related article “Misuse of Biometrics Technologies”

 ( https://www.paymentsjournal.com/Content/Blogs/Industry_Blog/30986/ )

We could also think about the situations where we cannot rely on anything but memorized secrets.

Identity Assurance in Emergencies

What is practicable in a calm indoor environment is not necessarily practicable in the turbulent outdoor environment, although the reverse can be said. The difference would be most striking in the cases of battlefield and disaster recovery.

Can we take it for granted that the people in such emergencies must be holding the cards and tokens for their identity authentication?

Can we be certain that the biometrics measures, whether static or behavioral, are practicable for the people who are injured or caught in panic?

Related slide “Identity Assurance in Emergencies”.

 ( https://www.slideshare.net/HitoshiKokumai/identity-assurance-in-emergencies )

Furthermore, we must not forget the meaning of our volition in the authentication.

Democracy in Peril

Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it. This volitional process can be achieved only with “volitional” identity authentication made possible by memorized secrets.

Related article “Do You Really Wish to Kill Passwords Dead?”

 ( https://www.paymentsjournal.com/Content/Blogs/Industry_Blog/35745/ )

In Conclusion

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password predicament is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly unforgettable images, as well as conventional texts.

We propose ‘Intuitive Passwords’ for mitigation of the password predicament.

Related article “Passwords to Succeed Passwords”

 (  https://www.paymentsjournal.com/Content/Blogs/Industry_Blog/35382/ )

Hitoshi Kokumai

Mnemonic Security, Inc.

–           Hitoshi Kokuman is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive and secure identity authentication.  He has kept raising the issue of wrong usage of biometrics with passwords and the false sense of security it brings since 15 years ago.

–           Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System.  “Mnemonic” and “Mneme” used in the company name and logo imply that our identity must be protected with our own memory.  Following the pilotscale operations in Japan, it is currently searching for the location to set up the global headquarters.

Tags: PasswordsSecurity
5
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    Google Wallet Expands Features

    Google Wallet Continues to Bet on Digital with Expanded Features

    June 2, 2023
    digital value

    How Embracing Digital Value Can Help Solve the B2C Payments Conundrum

    June 1, 2023
    instant payments, real-time payments, RTP

    Banks Developing Instant Payments Products in the U.S. Should Focus on Billers to Generate New Revenue Streams  

    May 31, 2023
    Digital Wallet Use Delivers on Convenience and Security

    Digital Wallet Use Delivers on Convenience and Security

    May 30, 2023
    5 Ways to Protect Your Financial Institution from a Cyberattack

    5 Ways to Protect Your Financial Institution from a Cyberattack

    May 26, 2023
    traditional banks

    How Traditional Banks Can Modernize Without Risk

    May 25, 2023
    identity fraud

    Javelin’s Identity Fraud Study Highlights the Changing Nature of Fraud

    May 24, 2023
    SASE, security-as-a-service

    Security-as-a-Service Secures
    Distributed IT Models

    May 23, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result

      Register to download this complimentary report from CSG Forte: