Gimme your password!

Security and Psychology

While being in Russia I read an article in a local newspaper about a band of gypsies going through nearby villages and stealing stuff using mind manipulation techniques. As described in the article it goes like this: they stop at your house asking for a glass of water and the next day you realize that all the cash and the jewelry in the house are gone and you don’t remember what happened.

This is not specific to Eastern Europe ; street thieves around the world are using suggestive hypnosis to make people “voluntarily” part with their valuables. It may come as a surprise to some of you, but with the right skills it is pretty easy to manipulate people and make them do what you want them to (although there are boundaries), and it works on the vast majority of people. So, yes, it is possible to hypnotize people and program them to do things without even putting them into a trance; this area of psychology is relatively well developed and one of its modern branches is named Ericksonian Hypnosis after late Dr. Milton H. Erickson, a great psychologist.

It is time to make a point, isn’t it? Well, I think most of you have already guessed it – human is the weakest link of any security system. And systems based just on password protection are a joke for any serious and determined organization willing to gain access. Furthermore, the more people with access there are, the more susceptible the system is, even to simple social engineering. Office workers give away passwords for a cheap pen!

What can you do to make the system you are architecting more secure? The rule of thumb would be – require as much as possible information for a person to be able to access the data. A smartcard badge with a photograph works much better than a password. Passwords that are hard to read out and pronounce work better than simple passwords. Requiring two passwords from two different people to access a critical piece of data works better than one password. Two smartcards are even better. Choosing the right people of have access to the data (if you can) is equally important. Smart people, who are self aware, have critical thinking and quick reaction, are less susceptible to manipulation. If you are in the military or a similar organization you can even have a psychologist evaluate whoever is going to be handling secrets (well you guys implant GPS devices in the operators skulls, so I am sure you already do that, too J). Tell people that disclosing secrets (or any sensitive info) will hurt the organization badly and will get them fired – this will set up a moral block in their minds, a great defense against authoritative suggestive techniques.

As a secret keeper, your main defense is your moral principles and your awareness. While moral principles vary from person to person, awareness is a universal instrument that helps when somebody attempts to manipulate you, whether it is to get your money or to get your secret. It is important to distinguish between two types of influence – permissive and authoritative. The first flavor orchestrates everything so that your mind comes to the “right” conclusions sort of by itself. It is widely used in TV/radio ads, by politicians, good managers, etc. and is not necessarily bad (well, may be just a little bit for your wallet J). While the first approach is mostly based on catching your attention and on inserting right “anchor” words or images, the second method is more intrusive and is based on confusing you, trying to turn off the part of the brain responsible for your critical thinking, and slipping commands into your unprotected mind. A typical method of street thieves is confusing you by saying strange things, touching you, having two people say different things into your right and left ears, catching your attention with something shiny, such as a mirror or a piece of jewelry, etc. Professionals are much harder to detect, and if you have a stranger suddenly talk to you and say weird things my advice to you would be to walk away as soon as possible.

You can find a lot of information on the subject on the Internet (unfortunately there is a lot of noise, too) – so read up. The more you know the safer you are!