For more than a decade, the virtues of strong passwords have been lost on most end users, despite frequent sermons from security experts and IT administrators over their importance in locking down accounts. Now, a consultant is proposing a system that provides rewards or penalties based on the passcode choices people make.
For instance, a user who picks "[email protected]#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "[email protected]##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months.
"We spend a lot of time telling the user to 'do this because security experts advise it, or it's part of our policy' but we don't really provide an incentive or an understanding of why we tell them to do this," James wrote in a blog post laying out the idea for what he dubs "Pavlovian password management." "Well humans are programmable, and the best way to see the human brain is to look at it like a Bayesian network. It requires training for it to adapt to change and repeated consistent data to be provided."