The Pesky Human Factor in Password Resets and IT Security

Forgot your password? Call in-house IT support. They’ll ask you a couple of questions to verify your identity (maybe your date of birth, your favourite colour). Then they’ll reset your password and tell you what it is so that you can go and do that work that’s been piling up. Or so that you can break into that user’s account and from there into more databases and servers – because you weren’t a panicked user at all, but a hacker successfully masquerading as one. What’s the answer to this IT security risk? Harder questions? Passwords that are easier to remember? Or simply taking something out of the equation that shouldn’t have been in there in the first place?

Bad human habits abound when it comes to passwords. It’s hard enough to get users to stop writing them on sticky notes that they then post on their computer screen. Too many of them use the same password for different applications (like your payroll application and their Facebook page). But the problem with strict password rules is the same as the one for taxes. Over a certain level, people start to think more about how to dodge them rather than how to comply with them.

Password reset applications help to solve some of these problems. They eliminate the human to human interaction in favour of an impartial machine response. They still need sufficiently strong authentication mechanisms: your favourite colour or your dog’s name won’t do. Two-factor authentication using a user’s smartphone to send a code to be entered online is a possibility. Password reset applications won’t give into whinging or wheedling, so in that sense they are (somewhat) hacker-proof. But perhaps the end of passwords is nearer than we know. Biometric authentication that ranges from gait analysis and voice recognition to retinal scans and fingerprints is difficult to fake and impossible to forget. Even if it is based on all things human.