The Password Dilemma

April 15, 2010 · Posted in Information Security, Information Systems, Information Technology 

I heard parts of this topic on the radio the other day and didn’t really understand the guy’s point since I only caught the tail end of the discussion until I read this article from the Boston Globe. In a nutshell, it challenges the notion of using and changing passwords as required by most organizations and as preached by security professionals. The research described in this article also challenges many of the security best-practices advocated by security experts and how they are actually a hindrance to shall we say, progress.

One thing that I’d like to point out though, it does not take a genius to create a strong password, which for all accounts and purposes there is no such thing. It gives as much protection as a locked door knob to your house. It gives you a layer of protection, but not the protection. Just like a door knob, it can help prevent casual intruders, but not those who are really intent in breaking in. But, I digress.

In any case, I figured I give a quick comment on this matter since this somehow ties in to what I do for a living and what I preach to users practically on a daily basis.

First point of fact: It does not take a genius, knowledge of nuclear science or for that matter hours of deliberation to create a strong password. Typically a password with 8 characters utilizing 3 of the 4 types of characters in your keyboard is often sufficient.

Password1 is a strong password. Although I would not recommend using this password exactly, it meets the requirements I stated above. It has more than 8 characters, uses the upper case letter, lower case letter and a number, 3 of the 4 types of characters required. To make this password even technically stronger, add a special character, i.e. !Password1.

Now was that hard?

Second point of fact: even if your company requires you to change your password regularly, you don’t need to build a special database to maintain all these passwords. Going back to our Password1 example, if you need to change it, develop a simple system that will be easy to remember and follow. In this case a simple change, such as Password2, will often be sufficient. So all you have to remember is that you changed your password to the next number up. Many companies only prevent users from re-using passwords within the first three changes, so if your company requires a password change once very quarter, you can rotate from Password1 to Password4 every year: Password1 for the first quarter, Password2 for the second quarter and so on.

Now was that too time consuming?

Third and final point of fact: Companies and organizations who require password set-ups far and above what I mentioned above, i.e. requiring passwords 14 characters long, requiring all 4 character types used and not allowing reuse of passwords even after 4 or more changes (yes I’ve run into policies like these) are who this article should be referring to. In my personal and professional opinion, these policies, for a lack of a better word, are moronic policies and do not provide the organization with better benefits or security. They often tend make the organization more insecure as users will find ways to circumvent these rules like writing it on a post-it note and pasting it on the monitor. How many of you have passwords written behind your keyboard?

So what do I do personally?

Personally, I maintain only three password combinations and don’t change them unless I really have to. If I have to, I typically just do the slight variations that I mentioned above and no, Password1 is not one of them.

To read about the research by Cormac Herley mentioned in the article: The Rational Rejection of Security Advice by Users.

On a side note, I just found it peculiar that the research was sanctioned by Microsoft, a company well-recognized for their vigilance in maintaining the security of their products. ;-)

Bookmark and Share

Thought you should know, etc... Update

NetApp Staffers Build Their Own Mobile Apps

Do-it-yourself applications for work can render a business vulnerable to bugs and security problems, so NetApp vets each program closely

Turning Girls into Tech Entrepreneurs with a Single App

Technovation Challenge is a contest for high school students run by Iridescent, which uses online software called App Inventor

Students Build Mobile Apps in Class

The University of San Francisco teaches students how to create mobile apps using App Inventor, online software created by Google. This course attracts nontechnical students and has encouraged women to consider majoring in computer science.

Sony, Panasonic Forecast Worsening Losses

Japan's consumer-electronics giants say they will lose some $17 billion this year—less than what Korea’s Samsung plans to spend on research

Sony Doubles Loss Forecast

Sony more than doubled its annual loss forecast, underscoring the challenge for incoming CEO Kazuo Hirai in reviving Japan’s biggest consumer-electronics exporter

Tags: , , ,

Comments

Leave a Reply




Get Adobe Flash playerPlugin by wpburn.com wordpress themes