Thursday, November 08, 2007

Passwords: a UI for the Memory?

I'd been avoiding it for some reason, but I've done it - I've finally entered my card details into the Verified by Visa (VBV) scheme. I don't know why I don't trust it - maybe it comes across as yet another place to enter my details, and generally the less places that have it, the better. Or maybe it's just the text-entry boxes for entering your card's expiry date, or just the uninspiring graphical layout you're presented with (damn, should have grabbed a screenshot...).

Still, it's done. It's probably safe. But one thing in particular struck me as odd.

You're asked for a password, so that in future you can re-authenticate yourself with the scheme. Fair enough. But it got me thinking about passwords in general - in general, we have pretty vague guidelines for passwords. Guidelines tend to focus on using a diverse character set to avoid brute-forceability. They also like to suggest the avoidance of common words, but the use of a memorable phrase - probably shrunken to its acronymical form. (Hey, that's a fun word!)

What struck me about providing one for VBV was twothreefold, actually.
  • First, I could only use numbers and letters - no spaces, no punctuation. There go my usual strong passwords, then.
  • Second, I noticed that when you get asked to re-authenticate, you get asked for certain letters of your password, rather than the whole thing. Fair enough, but it's weird to notice just how much you rely on finger memory for entering passwords.
  • Third, as you have to use at least one letter and one number, there's no way to integrate it with my current bank password, which is letters only. This is where the password-as-a-memory-interface thing kicks in. Both my banking password and my VBV password - to me, as a user - are essentially accessing the same thing. But I'm forced to use 2 different ones. Why can't I, say, authenticate against my own bank's security, instead of going through yet another system which just encourages me to forget or write down my password?

Memory is context-dependent. As systems become more "fragmented" in terms of how much data can be shunted from place to place, maybe more thought needs to be put into how we remember who we "are".


RedYetiDave said...

I hate VbV and their horrible, slow clunky interface.

Most of all I hate the way it's all about "being more secure" and yet, as you say, they have such ridiculous restrictions on characters. Just as for you - there go my secure passwords generating algorithms.

Similar daft restrictions apply in many places. Even ebay who don't even allow £ signs (most password cracking systems tend to miss those apparently so it's good to include them).

I resorted to keeping passwords in a Truecrypt volume many years ago. In an innocuous looking binary, buried in the mass of files I already keep in there. Its the only way I can keep track of them all. The list is about six screens deep now...

Scribe said...

Also unfortunately, I can see things getting more complex as we go along, as their solution to new threats (fake sites, etc) seems to be to add in another level of security. There's an interesting look at using PINsentry to get into Barclay's site over at Phil Wilson's blog.

Ideally, all the banks (and probably government, and Bruce Schneier) would work out a better way to do this and replace the mish-mash we've got/getting now. It would probably involve ID cards though (which would probably then become part of yet another complex system as *that* got hacked to bits...)

Bugger it, I'm paying with cash from now on.