If your organization is like most, you probably are required to change your computer passwords every six months as a precautionary measure. It turns out, however, that changing your passwords every 180 days actually lessens cybersecurity.
That counter-intuitive advice is from Dr. Jennifer Golbeck, a computer scientist, director of the Social Intelligence Lab (Human-Computer Interaction Lab) and an associate professor in the College of Information Studies at the University of Maryland in the US. Golbeck, a featured speaker at the AFP Annual Conference in October, recently spoke with the Association for Financial Professionals:
"The standard rules for passwords are eight characters or the upper case-lower case-digit combination. But if you look at cognitive science, it says people can only remember seven things on average"
You hold a doctorate in computer science and your focus is on understanding how people use social media to improve the way they interact with information. So how did you get into cybersecurity? How does that relate to human interaction?
That’s a good question because it was kind of a crazy route.
I study social media and I use artificial intelligence to analyze the data people post on online to help them find more of what they want, whether it’s recommending movies or music or filtering things out. Along that route, privacy regularly would rear its head as an important issue because it turns out there’s so many things that we can find out about people from these seemingly anemic digital traces that they leave behind.
And so, as I continued with my work, I started talking more and more about the importance of privacy and how you protect it and that led me into the space of, here is the security tool that you can use to do that, and some of these security tools are really terrible for people to use. They’re just hard for people to figure out.
So, it launched this second parallel research area for me that focused on privacy and security, and making security systems easier to use. If you spend a little time thinking about it, it makes sense how that neatly overlaps with working with how people use social media.
You argue that with cybersecurity, the problem is not people behaving insecurely, but security systems that are designed with no concern for their users. Aren’t people responsible for their own actions, whether it’s acting lawfully, or protecting their information from hackers?
I think people absolutely are responsible for that, but the fact is that we have a certain set of abilities and limitations and we’re often pushed well beyond those by the systems that we have to use.
If you think, for example, about passwords, that’s the most common security thing that we all have to do. The standard rules for passwords are eight characters or the upper case-lower case-digit combination. But if you look at cognitive science, it says people can only remember seven things in their short-term memory, on average.
Some people can only hold fewer things than that. So, if you’re coming up with a really random properly complex password with eight characters, it’s already too hard for you to remember in your short-term memory.
Then what do you do? Well, you either make it less secure by picking something that’s a little bit easier for a hacker to get, or maybe you write it down. But it taxes what human brains are capable of doing to try to make people memorize passwords that way. There are a lot of little things like that.
"I think the right solution to this is we have to have security systems that are designed around what people can do and kind of with the knowledge and attention towards what their actual job is, which is not security"
Human-computer interaction as a field of research spends a lot of time looking at psychology science, cognitive science, and then saying, okay, how do we minimize the cognitive load, the work that people have to do in order to accomplish a task? But security systems don’t really do that.
In fact, if you get a degree in cyber security, you never have to take any class that has anything to do about humans and how they use systems.
So we have these systems that are designed with no understanding of human abilities, or how you design systems that are easy to use. As a result, they’re really hard to use. They also can, just because of that, get in the way of people doing their jobs.
One example is a hospital that would auto log-out these patient data terminals that doctors would use because doctors were walking away and leaving them logged in. The doctors shouldn’t leave them logged in, but the auto log-out feature was logging them out in the middle of patient exams, which is really disruptive to the actual job that doctors have to do. So they started circumventing the auto log-out feature.
Is it that doctors are not taking responsibility for their security? Maybe. I’d say it’s really them trying to do their job and the security was getting in the way.
I think the right solution to this is, we have to have security systems that are designed around what people can do and with the knowledge and attention towards what their actual job is, which is not security. Then it’s much easier for people to behave in a secure way, because they don’t have to spend a lot of effort investing in the security itself.
What would a human-centered cybersecurity focus look like?
There’s a couple of different types of people that you have coming in to work on cybersecurity. You have people who are dealing with encryption standards, who are really working on the backend, your database security, stuff that no regular user ever interacts with. I never touch the databases at the university, for example.
But a lot of these systems are forward facing. Some of that comes through IT support, some of that comes through policy within the organization, and some of it comes through the design of the interfaces that are facing your users.
I would say, one, that an organization should make sure that they have someone who’s trained in some human factors or human-computer interaction. That could mean they’ve taken the same classes in it, or there’re people who have degrees in that and are computer scientists and well trained in security.
"But there’s a lot of evidence out there about security practices that shouldn’t exist that are widely deployed that organizations don’t seem to want to change and the biggest one of these is that policy where you have to change your password frequently"
I think ultimately you first want to design the system so it’s good for the people and then figure out how to make the security work in that context. Get someone who’s trained on this to actually help you build those systems that people are acting with.
The thing is, No. 2, organizations are very resistant to changing policies. That makes sense; it’s risky to change policies. But there’s a lot of evidence out there about security practices that shouldn’t exist that are widely deployed that organizations don’t seem to want to change. The biggest one of these is that policy where you have to change your password frequently.
At the University of Maryland, we have to do it every six months. Lots of organizations have it, you’re required to change your password every certain number of months. But evidence says that actually makes your systems less secure because of the people.
You can say, well, theoretically it’s harder to hack a password because even if someone gets your old one, they can’t get in if you changed it. But in practice, people do the same kind of thing I do. I put a number at the end and I just increment it or drop it down by one every time I change it, because it’s too hard to remember a totally different password every six months.
So, you actually make your system less secure. They make people pick less secure passwords with that policy.
All the evidence says you shouldn’t make people do this. And yet, I go around and talk about this, I tell people, but the organizations don’t want to make that change. They insist that people have to keep changing their passwords. And that’s the sort of thing that I think organizations really need to take a hard look at.
There’s a lot of people doing good academic, well-founded scientific research in this space and when they come out with results to say this kind of policy actually makes things less secure and it also makes things worse for your users, you really want to strongly consider changing that policy.
A lot of security people don’t like it, but it’s the right move. I think that’s an organizational kind of culture and decision that, on a lot of levels, if you start paying attention, here is the thing that make us more secure. You end up overall making it better for your people, and then as a result, making it more secure overall.
It’s interesting you said that you also fall into the habit of just incrementally changing the number at the end of your password because it’s hard for you as well. So I’m curious, does the University of Maryland, your employer, do they listen to you or do you sit there saying, “Hey, I’m the expert. You’re paying me to be an expert and yet you’re not listening to me.”
It’s the latter. I’ve e-mailed our IT people, I’ve sent them these studies, I said, “By the way, I’m going to talk to the media about the response that you give me, so please give me your response,” and they just totally ignored me.
So, we still are changing our passwords every six months, despite my concerted effort to at least open a dialogue about it with them. They don’t want to hear it, apparently.
“II would say the one piece of advice is don’t assume that the way that you’re doing it now is the best way”
That’s kind of sad to hear.
I know. It’s a little frustrating, but I think they probably see me as one of these kooky faculty members maybe who’s on a mission. Hopefully we’ll eventually win them over on this. But, yeah, for now I’m not even getting a response when I ask to talk about it.
I am wondering if there’s one piece of advice you could tell a treasurer, a CFO, to help make his or her organization’s information more secure—particularly payments information?
I would say the one piece of advice is, Don’t assume that the way that you’re doing it now is the best way.
I think a lot of people would agree with [this advice], but it comes with the implication that you may have to change, perhaps dramatically, the way that you’re doing things now to make them more secure. And that’s really scary to say you need to throw out all the ways that you’ve been doing security facing your users, whoever they are, and potentially change it.
But it might be necessary. I think it should be evidence-based decision. There’s a ton of good evidence out there. Hopefully, it will be built on some best practices so you may be taking some new steps.
I think one of the big impediments to making systems more secure, where humans are involved, is that there are changes that can and should be made by all evidence that organizations just won’t make because they resist changing what they’re doing because they feel comfortable with what they’re doing.
And so, I would say, be willing to consider that you’re not doing it the best way now and that there could be great evidence that you should change the way you’re doing it and that’s going to make it more secure all around. If you make it more secure for the people, you’ll increase the security of the whole system.
About the Author
Ira Apfel is Director, Communications & Editorial Content, at the Association for Financial Professionals (AFP), a US-headquartered professional society that represents finance executives globally. This article is excerpted from "Changing Your Passwords Every 6 Months Actually Hurts Cybersecurity. Here's Why," which was first published on the AFP website and was re-edited for clarity and conciseness.
Copyright © 2016 Association for Financial Professionals, Inc. All rights reserved.