How Strengthening Security Can Weaken Security


We all know that if you ask people to choose incredibly complex passwords which frequently change, they will write them down on a Post-It note*.

I've recently discovered another way in which increasing perceived security reduces actual security.

On one of my Android phones, I use pattern unlock. If I want access to my phone, I have to draw a squiggly gesture in order to get in. It's like a handwritten signature rather than a complex password**.

It's easier for people to use subconscious tools - like muscle memory - to remember security details.

The swiping gesture (even in multiple directions) is quicker than repeatedly tapping at the screen in order to enter a PIN or password.

Because it's quick for me to pass security, I'm happy to let my phone auto-lock after a minute. To get back in, I wake the phone and quickly draw a pattern.

This means that if I leave my phone unattended, or if it is stolen from me, the security measures will activate in 60 seconds.

That, to me, seems pretty secure. Not perfect, but good enough.

A previous employer - who shall remain nameless - required me to use a specific tool on my Android phone. The tool required me to set a password of 6 characters. I could no longer use a pattern, or even a short PIN. I must have a 6 character PIN.

There are two security drawbacks.

Firstly, the pattern lock takes place on a 3 * 3 grid. Patterns can be fairly complex and even longer that the 6 digits requested of the PIN. Android-Pattern-Lock I could have a complex pattern - or my PIN could be 123456.

Secondly, it's much less convenient. This means I will find a way to bypass it. Now, I can't disable the security requirement to enter a PIN - but I can make it come up less frequently.

As I mentioned, my Android was set to lock after a minute of inactivity. That can now be set to lock after 10 minutes of inactivity. Hey presto, there's now a 10 minute window of opportunity to access my device, rather than 60 seconds.

So, I went from a secure pattern which activated a minute after I put it down, to a PIN of 123456 which doesn't kick in for ten minutes.

Which is more secure?

  • Whether that is secure or not is left as an excersise to the reader. ** Grease-mark identification not withstanding.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

One thought on “How Strengthening Security Can Weaken Security”

  1. Martin Seeger says:

    Basic rule: No security measure survives the active opposition of its users.

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">