Let Your Fingers Do the Remembering

Maybe I’ve missed something, but why isn’t more work dedicated to understanding the link between passwords and memory? Given that we’re supposed to remember our passwords (as opposed to writing them down on Post-it notes and sticking them somewhere prominent) why don’t we look more closely at the process whereby we remember stuff — and forget it?

Danah of apophenia wrote recently about the somewhat lame password recovery system some websites use whereby “you have to choose three questions and answer them. The problem is that they are all “What is your favorite n” where n is restaurant, band, movie, song, actor, book, drink, food, place, past-time…” As she points out, favorites tend to change over time, and if they were stable, such information is likely to be available “all over the web on their profiles for dating and social network sites.”

One commenter says Bruce Schneier has written that such password recovery systems are less secure than your password, so advises against using them. Here’s the original link, I believe: Bruce concludes that “The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.”

This is all a roundabout way of writing about a recent experience: one password I have to enter is actually a four digit PIN as part of a SecurID token (one of those readouts that give a different number every few minutes). Four digits I’ve used since 2000, and yet, after two weeks off, I couldn’t remember. It was only when I stopped trying to remember, that I remembered, if you know what I mean. It’s not that I had forgotten the number, it’s that I could retrieve the number from my memory. (This is getting way to existential – Ed). The way I “remembered” the PIN was to stop thinking and just type it. My fingers, if you will, remembered it better than my memory did.

I haven’t looked hard, and perhaps there’s data on this kind of thing. But this kind of memory must be way more useful than favorite colors and books and all that kind of thing, which requires thought, which in turn is vulnerable to forgetfulness, or changing habits.

Beyond Phishing, There’s Corporate Spoofing

Phishing — the practice of lulling users into giving up their passwords and whatnot — is not just aimed at the public. Corporations are also falling victim.

According to MailFrontier, a company that provides ‘messaging security’, says that ”while phisher scams — a largely consumer-facing problem where fraudsters spoof well-known brands in an attempt to steal personal information — garner most of the media attention, the untold story is that IT departments are being spoofed as well, compromising the security of entire corporate networks. Highly-sensitive information about the company, employees and customers, is easily attainable when a fraudster gains access to legitimate employee passwords and network login information.”

MailFrontier cites as an example of this a large media company, where new hires received an email written in the official corporate format asking them to re-authenticate their SecurID cards by providing serial numbers corporate usernames, and PINs. The request appeared to come from the IT department, and several new employees provided the information. The emails, MailFrontier says, were fraudulent and as a result, the enterprise’s network was compromised, exposing secure corporate assets and employees’ personal information.

MailFrontier, of course, has a solution: its new MailFrontier Enterprise Gateway 3.and MailFrontier Desktop 4.0, “the only such products on the market that actively protect email users from this dangerous threat”. But that doesn’t mean it’s not a real problem. I just haven’t heard much about it. I guess that’s because companies don’t like to broadcast such breaches, not only because it’s bad PR but because, presumably, the most likely culprits would have to be someone in the same business.