Human nature: Security's nemesis?

It is a grave mistake to underestimate the ability of human nature to undermine technology - especially when it comes to security, as found out to its cost recently

Our first clues, for all the home improvement goods you can order, are:
Not hot
A warm malty bedtime drink
Day of the week
The opposite of red
(Answers on the next page)

If we can rely on one other certainty in this world other than death and taxes, it is forgotten passwords. It's an ailment that affects us all, and we all have our own ways of dealing with it. Some of us stick to a single password that we use everywhere - whether it's a pet's name, a memorable date or the make of our monitor. Some of us use one password for each service we access, and then promptly forget each and every one. Some of have thrust upon us by (rightly) paranoid system admins very safe, very convoluted passwords that we promptly write down on a post-it note and stick to our monitors. A few very peculiar souls actually make up their own very safe, very convoluted passwords (over eight characters with non-alpha characters please) that they actually remember them, but I'm not convinced that these people actually exist.

The problem with passwords is that they are so essential but so susceptible to human nature -- which, as someone once said, cannot be slandered; it is worse than words can paint it. Passwords have an uncommon ability to draw out from the most successful, sensible and intelligent individual, an idle Neanderthal with the memory of a lobotomised goldfish. They make us stupid, but we should all by now have come to expect and accept that.

We ignore this fact at our risk, as did B&Q when it designed its e-commerce Web site at Now B&Q is a huge home improvement store with over 100 warehouses. Its parent company Kingfisher conducted over £6bn in sales during 2002. It has a very impressive Web site from which you can order everything including the kitchen sink.

But, of course, you have to log in with a username and password to do so. Now B&Q customers, like the rest of us, forget their passwords -- a fact that B&Q obviously accepted and attempted to deal with by offering a password reminder.

This is where it all went wrong. There are several ways of dealing with password reminders: one is to email the password, once the correct answer to the password has been entered, back to the customer using the email address they entered when first registering. Emailing the password in this way is commonly accepted as good practice.

Some sites offer a set of fixed password reminder questions, and then display the password on screen. This is not such good practice, because the prompts are often for information that a determined and skilled social engineer could discover surprisingly easily.

B&Q went one step further.

What B&Q's developers did was to take three crucial decisions, which although individually might not cause a major problem, in combination opened up its customer accounts to all and sundry. First of all, if anybody entered an incorrect password, or clicked on the 'forgotten password' button, then the password prompt was displayed on screen. Then, once the prompt question had been successfully answered, the password was displayed on screen. But where it really went wrong was letting customers make up their own password reminders -- examples of which are at the top of this article.

Now it's not really fair to characterise B&Q customers as stupid. I'm sure I've shopped there in the past and will probably do so again in the future. Those customers were just following instructions from a company they trusted, in the pursuit of making life a little bit easier for themselves, and nobody really deserves to be vilified for that. If they chose what were, let's face it, some pretty dumb password reminders, it was probably because they wanted something that would be obvious to them. If they failed to realise that the answers to these prompts would be pretty obvious to just anybody, it was only because they did not expect that just anybody would be given access to those prompts, and certainly not that they would then be given the actual passwords, right there, on screen.

And so the email we received contained a whole list of usernames and passwords which provided access to customer accounts. Some customers stored their credit details on the site, and although these were not displayed in their entirety on the account details page, any crazed hacker DIY freak (and I'm sure there are more out there than were are given to believe) could have ordered anything they wanted.

With a company the size of B&Q it's a given that every common name will already be in use as a username, and from there it was simply a matter of answering some depressingly simple questions.

This was not purely a technical failure on the part of B&Q. Nor was it purely an intelligence failure on the part of its customers. What went wrong was that B&Q failed to take human nature into account when it designed the security processes for its Web site.

There are some pretty simple lessons to be learnt here: that you should always email passwords back to account holders, and never display them onscreen; that you should use a fixed list of password prompts and never, under any circumstances, let users make up their own password prompt questions. But most important of all, that you should watch how people use the technology you have created. Most likely they'll use it in ways much more stupid than you ever imagined.

Oh, and the answers to those questions: