Home

Solving the Password Problem | Commentary

By Michael Jones Cybercrime is metastacizing. Hackers stole 900 million financial and personal records in 2014 alone, and hacking now costs consumers and companies $375-575 billion annually. That’s putting pressure on both parties to act, but Congress hasn’t yet been able to pass a cybersecurity bill. President Barack Obama’s proposal to require businesses to share information on hacking threats with the Department of Homeland Security has raised both political and privacy issues, and drawn opposition from conservatives, business and the American Civil Liberties Union.  

But even if such a bill passed, information sharing would not have stopped high-profile cyberattacks on Anthem, Sony Pictures, Target, Home Depot, banks in 30 countries including JP Morgan Chase, or others. The glaring cybersecurity problem today is our password practices, which have become dysfunctional. Most security breaches involve weak or stolen login credentials.  

Passwords are a weakness for Congress’ own cybersecurity, too. According to Rep. Jim Langevin, D-R.I., co-chairman of the Congressional Cybersecurity Caucus, the number of daily cyberattacks on congressional networks is “huge.” Congressional staff computers have sophisticated firewalls, but even the best technologies can’t protect them against bad practices of humans, such as password reuse and sharing. Recently, the House started requiring regular password changes and instituted mandatory information security training for any staffer with a House network user name and password.  

Some, such as bank and insurance regulator Benjamin Lawsky, superintendent of the New York State Department of Financial Services, propose scrapping the password system altogether. But there is a way to fix it.  

Passwords originated half a century ago, when a few research institutions had one precious computer, and the few people who had access to it needed just one keyword to remember. Today, hundreds of millions of us have dozens of accounts each. In an effort to make billions of passwords distinct and safer from hackers, we’re making them more and more complex and less and less memorable.  

The less memorable passwords are, the less secure they are. Continually resetting passwords we can’t remember makes us more vulnerable. So does storing them on a computer or in a drawer. One place they are safe from hackers is stored in your brain, provided you can get them out when you need them.  

My field of memory research has learned much about how humans encode, store and retrieve information committed to memory. It has evolved excellent computer simulation models that predict how likely a person is to recall information, and can help select words that are optimal for later recall by specific people.  

That’s useful for data security engineers, and I’m now collaborating with one to build a new password system. It draws on decades of lab research on optimizing human memory, much of it funded by federal agencies such as the National Science Foundation. The new system will have the ubiquitous “password strength” meter, but also a “memorability” meter. It will generate memorable combinations of words that are personally relevant and meaningful for users, but appear random to anyone else, making them memorable and much harder to steal.  

Besides passwords, there are other intractable cybersecurity problems that scientists who study human psychology and behavior can help solve. For example, spam/phishing filters mechanically search for suspicious individual key words, but not for typical spam narratives, so spam slips the net and lands in your inbox. Algorithms designed to resolve disputes between online buyers and sellers can’t distinguish between “liar buyers” with a bogus complaint and truthful ones with a legitimate complaint. Applying models from linguistics, memory and cognitive science, and teaching computers how to comprehend patterns of meaning rather than just pick out words or numbers, can help make these structures smarter and more secure.  

This field of teaching computers to think more like humans is called cognitive computing. It has been incubating for about a decade now, and is likely to generate big breakthroughs that we’ll all be using before long, including better passwords, and many new ways to find meaning in the torrent of digital data rapidly headed our way.  

Lab research into human cognition is directly enabling advances in cognitive computing, which can help stem the rising tide of cybercrime, and help make the benefits of the Big Data revolution available and meaningful for everyone. That makes it a smart investment for taxpayers. Whether or not Congress can pass an information-sharing bill, if it wants to do something effective about cybersecurity, it can fund this research.  

Michael Jones, PhD, is Associate Professor of Psychology, Cognitive Science, and Informatics at Indiana University. The 114th: CQ Roll Call's Guide to the New Congress Get breaking news alerts and more from Roll Call in your inbox or on your iPhone.

Topics: guest-observer