My broker is giving out cyber advice

I have a stock trading account (actually, I have 4 – two that I used to use but no longer do and can’t seem to close, and one I signed up for and never used and can’t seem to close).  I get a daily email every day with a morning briefing that I sometimes read when scanning over the market headlines.  In the most recent one, it came with the following insert: Fight Cybercrime – October is National Cybersecurity Month, and it’s time to review a few small steps that can have a big impact on your security online.

The article is not written by my online broker but instead is written by someone in the security industry.  There are some good pieces of advice, I have reproduced some here and edited them down for brevity:

Regularly review your financial history. Make sure to review your financial statements and transactions as soon as they arrive, so if there are any anomalies or unauthorized transactions you can clear them up right away. Notify your broker immediately if any suspicious transactions appear on your account.

Make sure your wireless network is secure.  Here's how to secure your home network:

  1. Enable the highest level of encryption available on your router.

  2. Change your router's default password. Router manufacturers set a default administrator password before they ship the router, but cybercrooks often know these default passwords. That's why it is important that you change the password to prevent unauthorized access to your network.

  3. Change the identifier, or name of your wireless network, and turn off broadcasting.

  4. Limit the wireless devices that can connect with your network

These all make sense, but there is one piece of advice I have an issue with:

Create strong passwords. Tough passwords are your first line of defense. Avoid predictable-and guessable-passwords such as your pet's name, date of birth or nickname. Make sure that your passwords are at least 8 characters long and use a combination of letters, numbers and characters. For example, our brokerage passwords are 8-32 characters long and case sensitive, making them extremely difficult to crack.

Once you've selected a strong password, protect it. Don't write it down, e-mail it, or share it with anyone. Also, make sure to change your passwords periodically.

As I have said before on this blog, I am not a big fan of the password advice given by the security industry, and this one falls into that.  Even though I don’t have a good answer or solution myself (although I do like multiple authentication such as one-time passwords or an additional set of security questions), I have no trouble pointing out flaws with current advice (I guess I could be an economist or a political pundit). 

The advice is to make sure that your password is strong and secure, so something you might not normally pick.  The subtle undertone is that randomly generated passwords are best, stuff that has no logical sequence and by extension is difficult to remember.  Then, you are not supposed to write it down in any format.  And then you have to change them periodically!

The reason that I have a problem with this “solution” is that it ignores the human element – humans use passwords for security but we need to be able to actually remember them.  And if you’re like me, you have lots of passwords:

  • Logging in to your computer
  • Logging in to your bank account (and if you’re like me you have several)
  • Logging in to your brokerage account (and if you’re like me, you have more than one)
  • Logging in to a discussion forum or two
  • Logging in to Facebook, Twitter, LinkedIn and how many other social networking sites
  • Logging in to your account on Amazon
  • Logging in to your account on eBay
  • Logging in to your account on Pandora
  • Logging in to your account on numerous blogging platforms
  • Logging in to your credit card account (Visa, Mastercard, American Express)
  • Logging in to your Mint account
  • And the list goes on and on… you could even have 20-30 logons and that wouldn’t be unusual

It is virtually impossible to memorize random passwords for 20-30 sites.  I have done some work around memory (how memory works in human beings, not computer memory).  One of the techniques that you use to improve your memory and get better recall is to do something called association.  I’ve heard that the reason that phone numbers are 7-10 digits long (10 digits if you have an area code) is because humans can only remember that many sequential, non-correlated entries.  In other words, phone numbers are essentially random and so we limit the length of them otherwise we would forget them.  Indeed, the reason we have address books on our phones is so we don’t have to remember the phone numbers.

Anyhow, getting back to association, one technique that I am familiar with is association.  That is where you associate numbers with objects and then create pictures with those objects, and the more outrageous or funny, the easier it is to remember.  So, suppose I want to memorize a list of ten items at random.  This is actually quite difficult to do.  I associate a word with each number from one to ten that is phonetically similar to the number, in this case I will rhyme it:

  1. One – Bun (ie, a sticky bun)
  2. Two – Shoe
  3. Three – Tree
  4. Four – Door
  5. Five – Hive (ie, a bee hive)
  6. Six – Trix (ie, the cereal)
  7. Seven – Heaven
  8. Eight – Gate
  9. Nine – Dime
  10. Ten – Hen

This isn’t all that difficult because I know how to count to ten, and each word rhymes with the number.  Now, suppose my list of objects to memorize is the following: keys, phone, computer mouse, post-it notes, shoe lace, clock, scissors, tape, box of kleenex, water bottle.  That is ten objects and I must recall them in that order.  Can you do it?  You only get 30 seconds to memorize the list.

What I do is associate the objects with the word associations:

  1. I imagine picking up my keys but am grossed out because they are all gooey after being caught in a sticky bun
  2. I visualize my cell phone being in my shoe, picking up my shoe and talking into it (this is a very silly image but works because of that)
  3. My computer mouse is stuck in a tree with the cord wrapped around a branch.  How did it get there?
  4. I have my door covered in a hundred post-it notes with randomly things scrawled on it.
  5. In order to block the bees in the hive, I have stuffed the opening with shoe lace and am under the mistaken impression that the bees are stuck there, but as I am walking away they are coming to sting me.
  6. I picture a cartoon clock eating Trix cereal while the silly rabbit looks one.
  7. The gates of heaven are sealed off with a ribbon, but I use a large pair of scissors to open the gate.
  8. I have a gate outside my home and the door is broken, but I have managed to repair it using a whole lot of duct tape.
  9. TI imagine myself seeing that a box of Kleenex costs 10 cents at supermarket and then cheering excessively.
  10. I picture a hen, or a stuffed chicken like a mascot, on a hot day cheering for a sports team and using a water bottle to cool off.

All of that list just now I came up with off the top of my head.  But notice that I use familiar, every day objects that are easy for me to remember with mental pictures.  The odd combinations make it easy for me to remember and I use heuristic cues to build the list (sound).  I need an easy way to remember.  Incidentally, I tried to recall the list just now and I could do it.  The ridiculous images made it possible for me to recall them with only 30 seconds work of memorizing.  I am not making that up.

Contrast to the advice the security industry is giving.  Use lots of different passwords, and make them difficult to remember.  Don’t use familiar things that are easy to remember but instead… wait, how are we supposed to remember these things unless we write them down?  The gap lies in the fact that biological entities use mental shortcuts to save cognitive processing time, and remembering familiar things is something we do to save that time.  But we are specifically told not to remember familiar things.  Heck, even in two factor authentication, you need to answer security questions and these are about things familiar to you from your past.  In other words, the very tools we need in order to memorize randomly associated things are not permitted/recommended in the use of passwords.  This is a recipe for inconvenience and user dissatisfaction.

Having to remember a lot of different passwords for many different sites just means that we will forget them all the time and forever be resetting them.  That’s inconvenient, but at least it is secure.

On the other hand, cognitive mental heuristics for memorization is an area ripe for exploration.  Maybe we could use some of those techniques and apply them to passwords and then formalize them.  That’d be an interesting study.

Comments (2)

  1. tzink says:

    24 hours later and I can still remember the list of 10 objects except at number 9.  This is because I forgot that my word for "nine" is "dime" because they don't rhyme.  So instead, I will switch it from "dime" to "dine" and imagine myself dining on a box of Kleenex.  Ridiculous, yes, but the image sticks in my mind and allows for recall.

  2. Tony Toews says:

    I used to do something similar but now I use the open source KeePass utility which stores the userids and passwords in an encrypted file.  It generates random passwords for me.   And with a Ctrl+Alt+A it will autofill the user name and password at most websites.   I use a long pass phrase to access that utility.  

    The key passwords, such as my Windows login and the above pass phrase, are in turn stored in a comment field in KeePass.  Along with details on how my backup system works.  In turn I have printed this document, placed in an envelope and given to trusted relatives who live in different cities.

    (I once had a phone call from a friend who stated thier father had just passed away and all his financial details were behind a password protected Quicken file.  )

    The downside is that I haven't a clue what my banking or Facebook password is.   So I'm tied to my laptop.   Which is fine for me as it is always with me, or nearby when travelling.   This may not be so fine for many others.

    Lastly I do a backup, using a password protected zip file, to an SD card which resides in the leather folder of my Palm which is always in my shirt pocket.  Then I do a backup of that zipped file to a DVD.  If travelling I will leave that DVD with family or friends and tell them to throw it out in a week or three if they haven't heard from me.   I've also even been known to put the backup in a cardboard mailer and mail it to myself.

    Tony Toews, MS Access MVP and paranoid computer programmer for over 30 years.

Skip to main content