How Strengthening Security Can Weaken Security
We all know that if you ask people to choose incredibly complex passwords which frequently change, they will write them down on a Post-It note*.
I've recently discovered another way in which increasing perceived security reduces actual security.
On one of my Android phones, I use pattern unlock. If I want access to my phone, I have to draw a squiggly gesture in order to get in. It's like a handwritten signature rather than a complex password**.
It's easier for people to use subconscious tools - like muscle memory - to remember security details.
The swiping gesture (even in multiple directions) is quicker than repeatedly tapping at the screen in order to enter a PIN or password.
Because it's quick for me to pass security, I'm happy to let my phone auto-lock after a minute. To get back in, I wake the phone and quickly draw a pattern.
This means that if I leave my phone unattended, or if it is stolen from me, the security measures will activate in 60 seconds.
That, to me, seems pretty secure. Not perfect, but good enough.
A previous employer - who shall remain nameless - required me to use a specific tool on my Android phone. The tool required me to set a password of 6 characters. I could no longer use a pattern, or even a short PIN. I must have a 6 character PIN.
There are two security drawbacks.
Firstly, the pattern lock takes place on a 3 * 3 grid. Patterns can be fairly complex and even longer that the 6 digits requested of the PIN. I could have a complex pattern - or my PIN could be 123456.
Secondly, it's much less convenient. This means I will find a way to bypass it. Now, I can't disable the security requirement to enter a PIN - but I can make it come up less frequently.
As I mentioned, my Android was set to lock after a minute of inactivity. That can now be set to lock after 10 minutes of inactivity. Hey presto, there's now a 10 minute window of opportunity to access my device, rather than 60 seconds.
So, I went from a secure pattern which activated a minute after I put it down, to a PIN of 123456 which doesn't kick in for ten minutes.
Which is more secure?
- Whether that is secure or not is left as an excersise to the reader. ** Grease-mark identification not withstanding.
Martin Seeger says:
Basic rule: No security measure survives the active opposition of its users.