Strong Passwords May Cause Harm

The standard security model for applications has been the username and password combination. This has evolved over the years to be much more protective through the use of longer password requirements. Many institutions also demand that uppercase, lowercase and special characters be used. This is generally reasonable for a person with a standard keyboard but it becomes problematic for mobile phone users who only have screen based touch keypads. An alternate security authentication solution may be far more user friendly, and even safer for such users.

In the Information Technology industry, secure access to data is a requirement. Anyone who needs data from a central server must be authenticated. Everyone should be given a unique username. While many access mechanisms resort to a value based on a person's name, (last name plus an initial), this approach does compromise security a little. A nefarious individual can easily determine that an agency users a particular name encoding. Now all the person needs is the correct password and access is granted. Assigning a completely arbitrary code to all users, which is not based on names, would be safer. Then a hacker would need to determine both username and password to gain entry.

Passwords, too, can be a security concern. Users tend to choose passwords which are easy to remember. Studies have shown, in fact, that a very popular password is the word "password". Computer break-ins are often accomplished when this word is tried for validity in the login process. Other standard words are often used in guessing attempts, with surprisingly many successful break-ins. The usual response for computer administrators is to insist on longer passwords, perhaps eight characters at a minimum. Password policies may also be established which mandate both upper and lower case characters. Perhaps special characters, ("%", "$", "*", etc), are required as well. Imagine the frustration for a mobile phone user who has to enter a secure password such as "To8*@Mar" on a mobile phone screen-based keypad. It can be nearly impossible, especially if the device masks the keystrokes with "*" indicators as each character is entered.

An alternate access granting method for mobile users can be based on selections from lists. Instead of entering a long string of strange looking characters for a password, perhaps the user could be presented with a series of multiple choice questions. For example, instead of a password, a user could be shown the following list of words and asked to choose the correct one from the list:

Access Words - (Choose 1 only)

A mobile phone user would have already established that their favorite day is Tuesday, (for example), so they would always choose that value from this list. Any other choice would cause the access attempt to fail. This list is obviously quite arbitrary but it could be effective. From the given choices, there is only a 1 in 5 chance that a pure guess will allow access. While this is much less secure than an eight character long password, (that includes special characters), it may be adequate for initial verification. Consider that the choice of a day from this list results in the user having to choose from the following list:

Access Words - (Choose 1 only)

This is a sample list of pet names. The authorized user would know the correct value. All other access attempts would have a 1 in 5 chance of guessing the right value. By putting the two lists together, a pure guess has only a 1 in 25 chance of being correct. Still relatively low by security standards but promising. Such an access scheme does have the benefit of being very easy to key in on a mobile phone. Instead of eight keystrokes, plus more to enable alternate character sets, the user has had to perform perhaps as few as three. Taken to an extreme, a mobile user access scheme might present the following lists to the user who seeks access to a system:

Access words - (Choose 1 from each list)
Red             Nevada        Gull        Dog
Blue            Iowa          Tern        Cat
Green           Arizona       Eagle       Hamster
White           Utah          Duck        Pig
Orange          Florida       Swallow     Horse

To successfully access the system using this scheme, a guess must be the right one out of 625 combinations. If the lists hold six items, the number increases to 1296. Lists of 10 entries boosts the number of combinations to 10,000. While this is still a fairly low number of combinations, compared to a difficult password, the scheme still requires only as few as five user keystrokes. The increase in user comfort with this approach would be significant. Fewer incorrect entries would be made. Users would become adept at choosing from the lists. A practical implementation could expand on this theme as well.

The list choice security scheme can be implemented as a repeating mechanism to ensure data safety during an entire application session. In the beginning, a user is presented with a prompt for their username. This is easily keyed into a user entry box. Next, a few lists are presented. These may include a person's favorite color, state, bird and animal. Other lists might be the name of a pet, sibling, school or other value typically known to only to the person. Access to the system would be granted by the correct selection from each of the lists. Later, as user actions are entered, the system could present new list choices periodically. Thus before a data value is changed by a user, they would have to again provide the correct choice from a list. This actually enhances security beyond regular password schemes since the list choice would provide system protection any time that a user response is accepted.

Standard security protocols that demand long, complicated passwords are difficult enough to pass when computer users are equipped with regular keyboards. Depending on the special requirements, such schemes are often nearly impossible to validate when using a mobile phone screen-based keypad. Rather than force users to use such a rigid access mechanism, the list choice security scheme can be an effective way to implement a security protocol that is easy to use on most any modern computing device.