Are employee devices an unlocked window to your data?

Think again if you believe that those complex, eight-characters-or-more, upper case, lower case and special character-filled passwords you require do a great job of protecting your corporate IT systems. In reality, those passwords are only as good as an employee’s willingness to use them and keep them private.

Think again if you believe that those complex, eight-characters-or-more, upper case, lower case and special character-filled passwords you require do a great job of protecting your corporate IT systems. In reality, those passwords are only as good as an employee’s willingness to use them long-term and keep them private. That’s why you try to keep system users from leaving their passwords written out on sticky notes attached to their keyboards, right? But, there’s an electronic version of the tattletale sticky note that’s just waiting to open your enterprise to prying eyes.

It’s the auto-save or “remember-this-password” function users can click on via their laptops, tablets and cell phones. According to research conducted by Professor of Information Systems Paul Steinbart, even though that auto-save function is risky it’s likely to get frequent use once your users start signing in with mobile devices. “The rules about creating good passwords that you may teach people in the security training once a year are probably based on having a keyboard in front of you,” Steinbart says. “If you’re going to start letting people log in from mobile devices or other new technologies, you may need to come up with different ways of verifying a user’s credentials.”

On the go, in a hurry

Steinbart knows user activity is different with mobile devices because he and co-investigators Mark Keith, a former W. P. Carey doctoral student, and Jeffry Babb tracked how people logged into an online game over a three-month period. His research revealed that two factors affected whether gamers changed their credentials to easier passwords or stored the password for one-click retrieval through a “remember me” tool. Among those players who had a login failure or were using a mobile interface, Steinbart’s study results showed that 38 percent would store their credentials. Add in the mobile players who made the password simpler to type, and more than half of mobile gamers used unsafe behavior. Why? Several factors contribute. One is simple human nature. “From psychology research, we know that if something is hard to do, people are going to find a way around it,” Steinbart says.

Another reason is the difficulty of translating passwords from a full-fledged keyboard, such as what you use with a laptop or desktop computer, to the virtual keyboards that come with mobile devices. In fact, that was one of the reasons Steinbart conducted this investigation. “We wondered how easy it is to enter long passwords and passphrases when you’re using a virtual keyboard, where you have to hit extra keys to get a menu that gives you a special character like a dollar sign,” Steinbart says. Even if people want to behave securely and use strong passwords, it’s going to be harder to key in those credentials on a mobile device, he adds. The harder it is to remember or use a password, the more likely users will find a way around it. “People are going to obey the letter but not the spirit of the password policy,” Steinbart says. “They figure, ‘I’ll use this really hard credential that I’ve been using on my desktop when I’m logging in from my phone, but no way am I going to sit there and type all that into my phone interface, it’s going to be saved and stored and all I have to do is hit one button to enter it.’”

That approach is especially troublesome to corporate IT managers in the bring-your-own-device (BYOD) world. “If you’re working in human resources and logging into the payroll system with a cell phone, the company doesn’t want your credentials stored on your phone,” Steinbart explains. “The company will want you to enter your credentials so that if you loan your phone out, if it gets lost or stolen, someone can’t just log in to the corporate computer system with one click.” This is all the more important given the incidence of lost and stolen phones. In 2013, some 3.1 million smartphones were stolen and another million and a half went missing, according to research from Consumer Reports. Thefts were down to 2.1 million in 2014, perhaps because of anti-theft technology such as kill switches that deactivate the devices and erase the data in them.

Coining a phrase

Anyone who’s ever stood at the grocery store checkout counter and mindlessly typed in a debit card PIN knows that eventually, password entry becomes an automatic thing. Initially, perhaps, you had to consciously remember the PIN. That’s a function of declarative memory, the type of memory people use when trying to learn and retain facts, names or events. But, after repeatedly using your declarative memory to type in that PIN, it eventually becomes a function of procedural memory, which is the nonconscious motor skills that come into play when you’re doing something physical, such as riding a bicycle or entering a password via a physical keyboard or touch screen.

In his earlier research, Steinbart had explored whether procedural memory might impact a person’s willingness to use long passwords — which are harder to hack and raise security levels — and continue using them. By passphrase, he means something like “IwentsnorkelingintheNationalParkatKeyBiscayne.” Other researchers had already confirmed that such passphrases are easier for people to remember. Using the first letter of each word in the above passphrase might result in a password such as, “IwsitNPaKB.” Passwords based on passphrases also are easier to recall and result in fewer memory-based login failures. Consequently, Steinbart tested whether people would stick with long, relatively safe passphrases. He assigned credentials to study participants, giving some very odd, complex passwords and some long passphrases. As it turns out, those with the longer credentials had the most login failures early on.  “Even though people eventually got good at typing in the long passphrase, after three months of using it, those that had login failures early on were unhappy with the long credentials,” Steinbart says.

He adds that people with shorter though more complex passwords were more willing to use their credentials again, despite the fact that both long and short credentials were equally easy to use after a few weeks. “The initial negative reaction just sticks in your mind.” Steinbart also ran an experiment that tested whether procedural memory made a difference in password usability and durability. It did. This study stemmed from the belief that all the odd characters that people used in long passwords are unnatural. That is, they’re things people don’t frequently type, so they result in login errors and the type of password dissatisfaction that pushes folks into riskier behavior, i.e. electronically saving or simplifying credentials. “Most people are really good typists, so we just told them to make word-processing-compatible passphrases.

In other words, put the phrases in the way you normally type them in a sentence,” he explains. “We found people made hardly any typos ever. People were happy with the passphrases, so that proved our point that usability is important.” It increases password satisfaction and ups the chance that people will continue safer behaviors and not begin storing or shortening credentials.

Strengthening your defenses

Along with being aware of the impact of user interfaces on security compliance, corporate IT managers might want to consider adding ways to beef up security among BYOD employees. One would be to require some form of locking mechanism, such as a screen lock password or PIN. According to that same Consumer Reports study that found 3 million smartphones were stolen in 2013, only 36 percent of phone owners bother to employ any form of locking mechanism on their devices. Another approach might be requiring multiple forms of authentication to access company systems remotely.

As Steinbart points, three types of credentials are commonly used: something you know, such as a PIN or password; something you have, such as a smartphone that receives a text message as a secondary authentication method and something you are, i.e. biometric identifiers like fingerprints or voice recognition. Using two or three of these methods ups credential strength. And, most importantly, Steinbart advises corporate IT leaders, “Don’t ignore the human effort component when you are thinking about incorporating new technologies into your system security. You can’t just transfer what you’ve been using in one kind of interface to a new one and assume everything will be OK.” Technology may change, but human nature doesn’t, and if the technology makes security compliance more difficult, folks will eventually look for ways to get around it. “It is not enough to get IT users to adopt secure behavior. They must also continue to behave securely,” Steinbart says.