In the shadow world of password protection, Psychology’s Kim-Phuong Vu is a light in the darkness.
With CSULB since 1999, she is an expert in human factors, an area of science and engineering dealing with designing for human use, with a special interest in proactive password protection.
Her latest book, due out from CRC Press in 2006, is Stimulus-Response Compatibility: Data, Theory, and Application and, in 2005, she edited the handbook, Human Factors in Web Design for LEA Publishers.
One area of her research is password usability and security. The use of passwords serves as a window on her interest in human factors. “It could be anything but it happened to be passwords,” she said. “I apply what I have learned about memory and perception in the lab to real life. I want to bridge the gap between basic research and application.”
Even though the computer and the password are new, similar memory problems have been studied for thousands of years. “The techniques we have learned to increase our memory are being applied in a whole new context,” said Vu. “Many users have half a dozen passwords to remember. That’s why the most common password is ‘password.’ The usual solution is to write it down. But how secure is that? Practicality wins. The probability of remembering six passwords is not that great. Half the people who say they never write down their passwords need to have their passwords reset because of forgetting.”
Vu is trying to determine ways to promote the generation of secure and memorable passwords. One method that she examined was writing a sentence that encapsulates the password itself, so that the context of the sentence can provide cues to recall the password. “The problem with this method is that people remember the gist of the sentence and without the specific cues, the password cannot be remembered,” she said.
The average password is easy enough to crack but access to biographical data makes guessing that much easier with favorites being birthdays and children’s names. “My colleagues and I use an easily obtained cracking device called LC4 to crack passwords,” she said. “It sources a dictionary to try words and combinations of words. It often cracks a password without knowing anything about the user. My research says that 60 percent of passwords can be cracked within a few hours, and some in less time than that.”
Proactive password protection demands a requirement of higher or lower case letters, numbers, special characters, etc. The user generates a private password from these elements. The idea is that using these mechanisms makes cracking a password that much harder but her research has found a big trade-off between memorability and security. “The easier to remember a password is, the easier it is to crack,” she said. “The ones that are harder to crack are the ones that are hard to recall and there’s the problem.”
In addition to her bachelor’s degree from CSULB, Vu earned her master’s and Ph.D. (the latter in 2003) from Purdue University. She later served as an assistant professor at CSU Northridge.
The key to future password security is price. The cheaper the security, the more likely it is to be used. “Voice recognition is improving all the time but it is not ready yet,” she said. “The government can afford high-fidelity systems but everyday users cannot.”
There is a lot at risk with an easy-to-crack password. A password can be used to guard a bank account and if that goes, so goes the cash. “A password can guard my grades and breaking in to gain access to my files means the whole class gets A’s,” she said. “If I published corrupted data, my credibility is gone. A company loses money if someone hacks into their system. If a Web site collapses through password security, that is a loss to business. For example, if an airline has a security breach that allows users to change the very rates they charge, they may have to honor those rates. Password security has many implications for the individual and society at large. There are varying degrees of risk. This problem will get more serious as we rely more and more on the Internet.”
Vu believes the password is here to stay. “Fingerprints and retina scans are expensive. Password security is affordable and generally accepted by users, even if it is not the securest form of protection,” she said. “When you ask the typical user if they are interested in recording their fingerprints or retina, they squirm.”
Memory is affected by many things including age and gender but one key is practice. “It is less a matter of not forgetting and more a matter of training yourself to remember,” she said. “Everyone has memory problems, no matter what their age. Memory depends on many factors. For instance, culture has little effect on short-term memory when you take into account factors such as pronunciation rate.”