Editor’s note: Michael Maddox, PhD, CHFP, is a senior scientist for HumanCentric Technologies. The Human Factor is a regular feature in LTW.
_______________________________________________________________________________________In the May 9, 2005, issue of Computerworld, there’s a great cover story. The VP of Information Technology at a large credit union began to worry about security, so he ran a network password-cracking program on every employee’s account. He found that within 30 seconds, the program was able to identify about 80 percent of employee passwords.
He attributed this to very poor adherence to the company’s password policy, so he had everyone replace their password and admonished everyone to adhere strictly to the security policy. A few days later, he ran the password cracker again. This time, it was able to identify about 70 percent of the passwords.
Concluding that employees would never maintain strong (as in, difficult to crack) passwords, the company shifted to biometric identification, which was really the focus of the Computerworld article. Using fingerprints instead of user ID’s and passwords essentially eliminated that particular security issue.
What should interest all of us is why it is so difficult for people to establish, maintain, and remember strong passwords.
As it happens, the field of human factors can help in this regard. Password protection issues are very much indicative of what happens when a technical requirement runs afoul of basic human tendencies and capabilities.
Please Enter Your Password
How many times do you see that phrase every day? Sometimes it seems that every website, network area, application, and even every computer requires us to enter a user ID and password. Many browsers and operating systems will remember our user ID’s, but not always our passwords. Simply defining and remembering these identification terms is a full-time job. A job at which we, as human beings, are just not particularly well suited.
Human memory is one of the most thoroughly studied of our cognitive capabilities. Researchers and theorists long ago established that our memory is composed of at least a couple of different factors, usually called long-term and short-term memory. Anything we have to remember for more than a few minutes or hours has to somehow be put into long-term memory.
We also know that humans are notoriously poor at retaining information in short-term memory. When we, as human factors practitioners, evaluate systems, procedures, and products for usability, we always look for instances in which people have to remember information and then use it at a later time. When we find such requirements, we always flag them as potentially problematic — because we understand that people just aren’t very good at doing this.
One of the characteristics of information that makes it easier to store and retrieve from memory is its meaningfulness. Things that mean something to us are easier to remember than meaningless bits of information. Therein lies the rub as far as user ID’s and passwords.
It’s My Dog. Why?
Security purposes are best served, I think we can all agree, by requiring users to identify themselves in such a way that (a) ensures we are who we say we are and, (b), is very difficult for people who are not use to figure out. So-called “strong” passwords tend to be randomly generated and contain no information that can be easily associated with us personally. That’s so someone can’t simply guess that my password is my birthday or my wife’s name. Unfortunately, we have great difficulty remembering random combinations of letters and numbers. Why? Because those letters and numbers don’t mean anything to us.
So, what do most of us do when we define our user ID and password? Well, we use something familiar. The name of one of our children. The name of a pet. The name of the street on which we live. What do we do when we have to define user ID’s and passwords for a lot of different systems? We do the most logical thing. We use the exact same user ID and password for every occasion.
If we’re not allowed to keep the same user ID and password, then we write down our user ID and password on a sticky note and paste it to our computer monitor. This is the kind of thing that gives security people nightmares, but it is perfectly logical from the perspective or our innate abilities and limitations as human beings.
Dude, I Can’t Lift That
So, it’s time to ask a realistic question related to designing things for people to use. Would you ever design something that intentionally violated what you know to be the capabilities of your intended users?
For example, suppose you’re designing a portable chair that folds up and can be carried by people attending outdoor events. You know it has to be pretty sturdy to stand up to the abuse it will receive (and to accommodate a 250 pound person). Would you design it out of materials that result in a chair that weighs 50 pounds? That would be stupid, right? That would exceed the lifting and carrying capacity of a large proportion of your target market for the product.
And yet, people routinely violate the cognitive capabilities of human users.
Michael Maddox is a senior scientist for HumanCentric Technologies (www.humancentrictech.com ). He can be reached at 919-481-0565 or email@example.com.