Password Security and Psychology

Security and Theft
When visiting Eastern Europe I read an article in a local newspaper about a band of gypsies going through nearby villages and stealing stuff using mind manipulation techniques. As is was described it goes like this: they stop at your house asking for a glass of water and later on you realize that all cash and the jewelry in your house are gone and you don’t remember what happened. This type of theft is not specific to Eastern Europe. Street thieves around the world are actively using suggestive hypnosis to make people “voluntarily” part with their valuables. To some of you it may come as a surprise, but with the right set of skills it is pretty easy to manipulate people and make them do whatever you want them to do (although there are certain boundaries). It works on a vast majority of people. Yes it is possible to hypnotize people and program them to do things without even putting them into a trance. This area of psychology is relatively well developed and one of its modern branches is called Ericksonian Hypnosis.

Computer Security
What does this all has to do with computer security? Well, I think most of you have already guessed: the resume is that human is the weakest link of any security system. Systems based just on password protection are a joke for any serious and determined organization willing to gain access to it. Furthermore, the more people with access exist, the more susceptible the system is, even to simple social engineering. Office workers give away passwords for a cheap pen! A research shows that a whopping percentage of office workers - 90% - are willing to give away their passwords to their coworkers. Men are slightly eager to give away their passwords: 95% versus women 85%. This research of cause was not conducted at a software development company. It was done in England at one of the main railroad stations a while ago. A large number of people simply use word “password” as their office password: totaling a number in a range of 5 to 10 percent. More information on computer security and passwords you may read at DotNetThis

How to make a computer system more secure
What can you do to make the system you are developing more secure? The rule of thumb is: require as much as possible information for a person to be able to access the data. A smartcard badge with a owners photograph does work much better than a password. “Obscure” passwords that are hard to read out and pronounce do work better than simple passwords. Passwords that contain capital letters, signs and digits are better than simple “word-type” passwords. Requiring two passwords from two different people to access a critical piece of data works better than one password. Having two smartcards are even better. Choosing the right people of have access to the data (if you can) is equally important step. Smart people, who are self-aware, have critical thinking and quick reaction and are less susceptible to manipulation. If you are in the military or a similar organization you can even conduct a psychological evaluation of those who is going to be handling secrets. You may tell people that disclosing secrets or any sensitive info will hurt the organization badly, will get them fired and may be in some circumstances a sufficient cause to start a lawsuit against them. All this will set up a moral block in their minds, a great defense against authoritative suggestive techniques.

Keep your secrets
If you are a secret keeper then your main defense is your moral principles and your awareness. Moral principles vary from person to person but the awareness is a universal instrument that will help when somebody attempts to manipulate you, whether it is to get your wallet or to get your password. It is important to distinguish between two types of influence: permissive and authoritative. The first flavor deals with everything so that your mind comes to the “right” conclusions sort of by itself. It is widely used in television or radio ads, commonly used by politicians, good managers and is not necessarily bad. While the first approach is mostly based on catching your attention and inserting right “anchor” words or images in peoples mind, the second method is more intrusive and is based on confusing you and trying to turn off the part of the brain responsible for your critical thinking and then slipping commands into your unprotected mind. A typical method of street thieves is confusing you by saying strange things, touching you, having two people say different things into your right and left ears or catching your attention with some shiny object, such as a mirror or a piece of jewelry. Professional thieves are much harder to detect. If it happens to you that a stranger suddenly talks to you and says weird things my advice to you is walk away as soon as possible.

You can find a lot of information on the subject psychology and security on the Internet. Read it! It may as well save your money. The more you know about security the safer you are in a real world.

Article by John Virgo. Read more information about computer security and .NET security issues at DotNetThis