The Password Dilemma

April 15, 2010 · Posted in Information Security, Information Systems, Information Technology 

I heard parts of this topic on the radio the other day and didn’t really understand the guy’s point since I only caught the tail end of the discussion until I read this article from the Boston Globe. In a nutshell, it challenges the notion of using and changing passwords as required by most organizations and as preached by security professionals. The research described in this article also challenges many of the security best-practices advocated by security experts and how they are actually a hindrance to shall we say, progress.

One thing that I’d like to point out though, it does not take a genius to create a strong password, which for all accounts and purposes there is no such thing. It gives as much protection as a locked door knob to your house. It gives you a layer of protection, but not the protection. Just like a door knob, it can help prevent casual intruders, but not those who are really intent in breaking in. But, I digress.

In any case, I figured I give a quick comment on this matter since this somehow ties in to what I do for a living and what I preach to users practically on a daily basis.

First point of fact: It does not take a genius, knowledge of nuclear science or for that matter hours of deliberation to create a strong password. Typically a password with 8 characters utilizing 3 of the 4 types of characters in your keyboard is often sufficient.

Password1 is a strong password. Although I would not recommend using this password exactly, it meets the requirements I stated above. It has more than 8 characters, uses the upper case letter, lower case letter and a number, 3 of the 4 types of characters required. To make this password even technically stronger, add a special character, i.e. !Password1.

Now was that hard?

Second point of fact: even if your company requires you to change your password regularly, you don’t need to build a special database to maintain all these passwords. Going back to our Password1 example, if you need to change it, develop a simple system that will be easy to remember and follow. In this case a simple change, such as Password2, will often be sufficient. So all you have to remember is that you changed your password to the next number up. Many companies only prevent users from re-using passwords within the first three changes, so if your company requires a password change once very quarter, you can rotate from Password1 to Password4 every year: Password1 for the first quarter, Password2 for the second quarter and so on.

Now was that too time consuming?

Third and final point of fact: Companies and organizations who require password set-ups far and above what I mentioned above, i.e. requiring passwords 14 characters long, requiring all 4 character types used and not allowing reuse of passwords even after 4 or more changes (yes I’ve run into policies like these) are who this article should be referring to. In my personal and professional opinion, these policies, for a lack of a better word, are moronic policies and do not provide the organization with better benefits or security. They often tend make the organization more insecure as users will find ways to circumvent these rules like writing it on a post-it note and pasting it on the monitor. How many of you have passwords written behind your keyboard?

So what do I do personally?

Personally, I maintain only three password combinations and don’t change them unless I really have to. If I have to, I typically just do the slight variations that I mentioned above and no, Password1 is not one of them.

To read about the research by Cormac Herley mentioned in the article: The Rational Rejection of Security Advice by Users.

On a side note, I just found it peculiar that the research was sanctioned by Microsoft, a company well-recognized for their vigilance in maintaining the security of their products. ;-)

Bookmark and Share

Business & Tech News Update

Ex-Googler Lee Backs China Companies to Foster Startup Culture

Founded by Kai-Fu Lee, former head of Google's China division, business incubator Innovation Works is funding 12 startups amid strong demand for Web technology

3Par's Venture Backers Win Big By Holding Shares

Menlo Ventures and the other early venture investors in 3Par reaped a $560 million windfall amid the HP-Dell bidding war

Intel Wants to Be Inside Everything

Intel is counting on its Atom embedded processors to help break its dependence on the slowing PC market

Tags: , , ,

Comments

Leave a Reply




  • Your Shopping Cart

    Your cart is empty

  • Calendar

    April 2010
    M T W T F S S
    « Mar   May »
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  

  • RSS e-Business News from eCommerceTimes

    • Building a Cloud Businesses Will Actually Want to Use
      We've assembled a panel to examine the business impact of cloud computing, to explore practical implementations of cloud models, and to move beyond the hype and into gaining business paybacks from successful cloud adoption. Coming to you from The Open Group Conference in Boston, the panel tackles such issues as what stands in the way of cloud use, safe […]
    • HP's Wallet-Busting Win
      The insane tug-of-war between Dell and HP for enterprise storage company 3Par has finally drawn to a close. We have a winner, if you want to call it that -- the final sale price is more than double the figure Dell initially put forward when it announced its intentions to buy 3Par a couple weeks ago, so who knows how much of that is real value and how much is […]
    • Making Change Happen Every Day: Q&A With GSA's David McClure
      The U.S. government spends $80 billion annually on information technology. The U.S. General Services Administration is directly involved in nearly 25 percent of federal IT procurement activities through its Schedule 70 acquisition program, including nearly $9 billion directly for information technology investments. GSA has emerged as a leader in guiding fede […]
    • Marketers, Let's Get Personal
      On Aug. 13, IBM and Unica Corporation announced they had entered into a definitive agreement for IBM to acquire Unica, a leading provider of marketing software solutions that focuses on streamlining marketing program development, execution and management to achieve improved marketing effectiveness. […]
    • 3Par Sale Frenzy Ends With HP the Presumed Winner
      HP has won the bidding war it waged with Dell for data-storage company 3Par, whose shares were trading at $9.65 when Dell first tried to acquire it in mid-August. Dell decided not to match HP's $2.4 billion ($33 per share) offer, which topped Dell's bid of $32 per share. Dell first tried to acquire 3Par with an $18 per share offer on August 16, whi […]
    • In iTunes, All App Reviews Are Not Created Equal
      I like walled gardens. They are safe and, for the most part, keep out the predators. However, when one sneaks over the wall, the results can be ugly, to say the least. With the iTunes App Store, one of the key supposed advantages for end-users is that it is a walled garden, and Apple is providing a safe, secure environment you can trust in. […]
    • Do E-Readers Spell the End of Print Media?
      Recently, library chief Helen Josephine of Stanford University's Engineering Library said that the students' search through volumes of books to get to a formula that they want is basically at an end because "with books being digitized and available through full text search capabilities, they can find that formula quite easily." […]
    • Intel, Infineon and the Winds of Change
      Intel has focused solely on the computer business for so long, we forget it can pursue other avenues of growth as well. Tomorrow, all our devices will be connected and talk to each other and share information. In that new world, Intel has been looking around for another business to acquire to help expand its reach, and it chose Infineon. […]
    • How to Build a Better Business Blog
      About the easiest way for companies to dip their toes into the social media waters is the blog. There are few technical burdens to setting them up, the time needed to create posts can flex with the workloads of the assigned writers, and they can become a conduit for customer conversations through the comments section. So every business is leaping eagerly int […]
    • Sony's New Touchscreen Readers Unlikely to Shake Up Market
      Sony has updated its e-reader family of devices: the Reader Pocket, Reader Touch and Reader Daily. The new Readers offer touchscreen functionality based on infrared sensors that read taps made by a finger or a stylus. They are smaller and lighter, and have redesigned user interfaces. […]

  • RSS From the National Vulnerability Database

    • An error has occurred; the feed is probably down. Try again later.
Get Adobe Flash playerPlugin by wpburn.com wordpress themes
My Highlights powered by RoohIt (for WordPress)