There was a time when passwords were useful as computer security controls. Of course, that was when we used just a few software applications. It was a time when our computers were not connected via a public Internet. It was before people near to us and far from us all had strong financial and political incentives to breach our systems, use our data and ransom the money in our bank accounts.
Since these early days, there have been 3 categories of security credentials used to authenticate authorized users: “something you know”; “something you have”; and, “something you are.” The discussion presented here considers the first of these categories, “something you know”, with little to other categories.
We can all probably agree that the nature and scale of cybersecurity threats in today’s world, exceed the protection and trust that traditional passwords can deliver. The difficulties and limitations that we experience with traditional passwords result from outdated thinking that limits the potential of “something you know”.
Something You Know is Something You Create and Memorize. For some unknown reason, “something you know” is typically cast as something you create and then memorize, such as a password. This has been true for many years, even as it became widely accepted that relying on this credential is difficult and impractical, even with the help of password managers and passphrases. For some reason, security professionals have accepted the limitations of this assumption, when there is ample reason to consider an alternative to “something you know” such as “something you already know“.
Increased Security Results in Decreased Convenience and Often Vice Versa. Security professionals increasing encourage end users to create evermore complex passwords and long passphrases. They encourage a unique credential for every account with sensitive information and they encourage that the credential be changed periodically. The time, effort and attention required to achieve such a high standard of security is so inconvenient as to cause end users to happily abandon use of this credential in favor of a fingerprint scan or other biometric. Who can blame them, even though such a practice eliminates an entire category of credentials, reducing the layers of defense from three to two! Although security professionals are reluctant, the will of end users may force them to accept this outcome, despite the opportunity to consider expanding “something you know” to “a few things vou already know“.
Technology Will Create Security and Convenience. Security professionals are now certain that end users managing their own passwords and passphrases is fraught with risk, even with today’s password safes and password managers. Few security professionals have a clear conscience when they advocate the use browser-based password managers, or similar solutions available as software platforms and managed services. At best, such professionals accept the tradeoff as necessary between security and convenience. Security professionals accept this tradeoff because it is delivered to us by technology, when there is an opportunity to consider an alternative to “something you know” such as “a few things you already know that are known only by you”.
Insecurity is Inherent in Security. All credentials related to “something you know” are inherently vulnerable and insecure. The vulnerabilities are exploited by numerous tactics such as post-it notes discovered under the keyboard users sharing credentials, insider threats of various sorts, bots that harvest credentials through keylogging, phishing, password safes that are stolen or breached, brute force attacks, etc. There are so many ways to attack traditional credentials related to “something you know” that there are criminal organizations around the world that exploit these credentials and make money doing so. Security professionals accept this assumption, when there is an opportunity to consider an alternative to “something you know”, such as “a few things you already know that are known only by you and can be disaggregated and randomized such that they can be reconstituted only by you.
This discussion of “something you know” illustrates the limits of short-term memory as the basis of user login. Shifting the focus to Natural Memory (a.k.a. long-term memory) dramatically expands that potential for security credentials. The properties of Natural Memory enable credentials that are unique, already known, unknowable to others, cannot be hacked, spoofed, guessed, stolen, or copied. Password safes or managers are unnecessary and logins are automated. No amount of hacking is rewarded. Natural Memory has been available long before computers enriched our lives, yet has been overlooked as an important factor for authenticating the identity of computer users. The time is right to remove the shackles on our reasoning and assumptions about “something you know”, and create an advanced credential that meets the needs of today’s threat profile.