November 4th, 2016

The History and Future of Security Fatigue



Believe it or not the first password can be traced back to 1961 when engineers at the Massachusetts Institute of Technology created passwords for users of their Compatible Time-Sharing System (CTSS). CTSS provided the capability to securely host multiple users on a single device by requiring each to enter an individual password.

Yet, by 1962 Allan Sheer a researcher with CTSS, hacked the system and duplicated all the passwords. Some might say this should have been an early indication that passwords would not be the be all end all for security.

Soon after the 1962 incident, it was Robert Morris that was credited with developing a one-way encryption solution which translated passwords into numerical values.

Today, several things have become clear. With the emergence of the internet, each of us has been required to build our password cache and the clear majority of us selected passwords that were easy to remember. I found it startling to learn just how many people selected “password” as their password. Regardless of whether you chose your name, nickname, favorite sports team, birthday or 123456, it’s highly likely that your common passwords are just that; too common.

There’s a revolution at the gate that companies are trying to gain control of and it’s evident when organizations such as LinkedIn and Facebook require users to update their profile with a new password. This is where one of the stages of security fatigue begins. The other is when you visit a website that you haven’t visited in a while and somehow you forgot your password. You then enter the world of the password merry-go-round as you go from that website, to your email and back to the website – this is level two security fatigue.

When researching this topic, I stumbled across a few interesting facts. In an article published as far back as 2002, British consulting group – NTA Monitor stated that their survey showed that most people had 21 online accounts that required a password. It caused me to take a moment to count the number of passwords that I must manage and maintain today. In my case the number exceeds 40+ and each has different requirements making it virtually impossible to use the same password, which I guess is a good thing, but leads to level three security fatigue.



Even when I searched Googled for “security fatigue” I came across relating terms such as password fatigue, password chaos and identity chaos which is what we’ve created as we force everyone to have multiple online identities. Think about it for a second…. you, the individual can’t even claim to have the same user name and password in your online world. As a matter of fact, it’s more likely that you have dozens of online identities – leading to level four, my heads about to burst security fatigue.

Those of us north of fifty years old can remember a day when they knew our face at the bank and the teller wouldn’t dare insult us by asking for ID. During those days, our most critical piece of identity might have been our library card or school ID. Now that’s minimal security fatigue!

Around the same time the team at MIT was introducing the first passwords, a Motown band called the Platters had a top hit song “Only You” and we can all agree there truly is only one you. That’s why amongst all the confusion, chaos and fatigue we believe that our biometrics will emerge as the best way to identify. It goes back to the Platter’s song because your biometric is truly your only unique identifier. Therefore, why don’t we seek to optimize our individuality through biometric technology, rather than try to play Scrabble with passwords.



The National Institute of Standards and Technology (NIST) recently published a report on Security Fatigue and posted this blog https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly

It’s a topic that’s not going to go away and one might imagine that our reliance on the internet and websites will only continue to grow, thus exacerbating the situation.

Fortunately, a few technology leaders do get it. Apple who helped consumerize biometrics with iTouch, recently stated that iTouch will be available on iPad’s, adding to the world of devices that leverage biometrics. Microsoft is strongly committed to their new biometric authentication platform Windows Hello. There are roughly 400 million users of Windows 10 that can use their face or fingerprint to sign-in to the device. Soon Windows customers will experience the luxury of expanded capabilities which will allow them to use their biometric to sign-in to their favorite websites and applications. Kudo’s to these technology leaders, they might help us maintain our sanity and save us from security fatigue.