Password Security Issues on an E-Commerce Site

With the exponential growth of the Internet and e-commerce, the need for secure transactions has become a necessity for both consumer and business. Even though there have been advances in security technology, one aspect remains constant: passwords still play a central role in system security. The difficulty with passwords is that all too often they are the easiest security mechanism to defeat. Kevin Mitnick, notably the most recognized computer hacker, made the following statement concerning humans and their passwords: …the human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures addresses the weakest link in the security chain. (Poulsen, 2000) Without secure passwords, e-commerce sites invite online criminals to attempt fraudulent schemes that mimic the goods and services that legitimate e-commerce merchants offer. With increasing numbers of users on an increasing array of e-commerce sites, often requiring the use of passwords, users often choose to reuse the same simplistic password, and do so on multiple sites (Campbell, Calvert, & Boswell, 2003). For most computerized systems, passwords are the first line of defense against hackers or intruders (Horowitz, 2001). There have been numerous published articles that have created guidelines on how to create better or safer passwords with the following recommendations: 1. passwords should be memorized and not written down; 2. passwords should be an eight- or nine-character word or phrase, and end users should randomly add 3. passwords should contain a mixture of letters (both upper- and lowercase), numbers, and punctuation characters; and 4. passwords should never be words that can be commonly found in a dictionary. But if an individual adheres to security experts’ suggestions about password authentication, it usually involves a trade-off. If a password is easy to create and remember, it is most likely that it is easy for others to guess or a hacker to crack. Eventually, any password can be cracked. Password crackers use a variety of methods and tools that can include guessing, dictionary lists, or brute force attacks. Dictionary lists are created by using an automated program that includes a text file of words that are common in a dictionary. The program repeatedly attempts to log on to the target system, using a different word from the text file on each attempt. A brute force attack is a variation of the dictionary attacks, but it is designed to determine passwords that may not be included in the text file. In a brute force attack, the attacker uses an automated program that generates hashes or encrypted values for all possible passwords and compares them to the values in the password file (Conklin, White, Cothren, Williams, & Davis, 2004). Unfortunately, many of the deficiencies of password authentication systems arise from the limitations of human cognitive ability (Pond, Podd, Bunnell, & Henderson, 2000). The requirements to remember long and complicated passwords are contrary to a well-known property of human memory. First, the capacity of human memory in its capacity to remember a sequence of items is temporally limited, with a short-term capacity of around seven items plus or minus two (Kanaley, 2001). Second, when humans remember a sequence of items, those items cannot be drawn from an arbitrary and unfamiliar range, but must be familiar “chunks” such as words or familiar symbols. Third, the human memory thrives on redundancy. In fact, studies have shown that individuals’ short-term memory will retain a password for approximately 30 seconds, thereby requiring individuals to attempt to memorize their passwords immediately (Atkinson & Shiffrin, 1968).