- Microsoft Windows chief decries standards grandstanding
- The 5 best, and 5 worst, features of Google Chrome OS
- Federal government using PS3 to crack pedophile passwords
- 10G Ethernet cheat sheet
- Top 10 free Windows tools for IT pros, at a glance
Most companies have some form of policy on passwords. The rules go back more than a decade and are repeated as "best practices" with little or no variation to account for different circumstances, different cultures or emerging technologies:
* Don't write it down
* Make it long, complex and not a word
* Don't save it in browsers
The vast majority of security systems are still dependent on this weakest of solutions -- the username/password pair. In a world with road warriors, ubiquitous network access, keyloggers and trojans, does this approach even make sense? Can we still depend on username/password and if so do the rules above still apply? I would answer "no" to both questions.
Let's face it: password based security was obsolete the moment the first keylogger was built. Between hardware keyloggers, software keyloggers, trojans and shoulder surfing, the whole idea of keeping a "secret word" is ridiculous. Companies would be well advised to scrap username/password security in favor of multi-factor authentication as prices drop and the technologies become easier to use. In the meantime, we have to re-visit the "rules" and figure out if they make sense.
Don't write it down. At our company, writing passwords down is not prohibited. All the employees at Nemertes Research work from a home office. They are allowed to keep passwords written down in a locked drawer as long as those passwords never leave their premises. By writing passwords down our users can have bigger/longer passwords without forgetting them and are less likely to pick their dog's name as the password. By putting them in a locked drawer, we're using "felony breaking and entering" as the deterrent and physical security as the control.
Make it long and complex. If your machine has a keylogger on it, what is more likely to draw attention? Accessing a bank Web site followed by "m7ruxM0Ipw7B" or one followed by "Joe, I'm running late for the meeting, start without me! Andreas". Keyloggers are the biggest risk for endpoint security. A random password is not only noticeable by someone browsing through a key log, it can even be detected automatically (using statistics or a dictionary to filter out all natural language). Maybe it's time to use innocuous phrases?
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (2)
Um, I think you screwed up the articleBy Anonymous on October 5, 2009, 5:33 pmYour third point about passwords is: "Don't save it in browsers." Yet in the paragraph below you say the following: "the worst thing you can do is to keep typing...
Reply | Read entire comment
Um, I think you need to re-read that 3rd pointBy Anonymous on October 19, 2009, 10:21 pmHe mentions that if you keep the password in a secure vault then you do not have to keep typing them and one way is to use the browsers password locker. The rule...
Reply | Read entire comment
View all comments