 Security StrategiesNetwork World's Security Strategies Newsletter, 10/04/07Why passwords are passéBy M. E. KabayI have long argued that passwords are a terrible way of authenticating identity. Here's why: * Many well-meaning but unaware people choose really stupid, easy-to-guess passwords such as the names of people important to them (or favorite sports teams, or the product whose billboard is visible from their office window, or the names of objects on their desk).
* Good passwords increase the keyspace not only by being longer but also by using upper- and lowercase letters, numbers and special characters - resulting in monstrosities such as “j3q(K8bX_*5” – and let’s not even think about allowing “O” and “0” in the character set. * Some users generate their passwords using funny rules such as using particular letters from the words in phrases (e.g., using the third letter of each word in “Mary had a little lamb; its fleece was white as snow” produces “rdatmsesiso”) - and then they forget the rules. * People sometimes use numerical increments to get around rules preventing password reuse (e.g., fisu3nema, fisu4nema, fisu5nema. . .) thus compromising their next password as soon as the current password is discovered. * Users often use exactly the same password for everything (their private Web e-mail, their corporate professional e-mail, their DVD-club login, their talking-slug club - everything) with the result that any single password compromise is a potentially complete security compromise. * Making passwords hard to guess forces many people to write them down. * Physically recorded passwords get stored in the same places network security auditors have always found them: in desk drawers, under keyboards, under chair seats, in files labeled “C:\passwords.txt”and even in plain view on the back (or front!) of video screens. * When people do pick hard-to-guess passwords and don’t write them down, they often call the help desk or security administrator to reset them because they forget them, causing a great deal of irritation and wasted time for everyone concerned. A study published last year by Nucleus Research reported findings on user behavior concerning passwords. To no one’s surprise, the researchers found that “More than a third of employees write down or electronically record their passwords, creating significant vulnerabilities. Even worse, lowering the quantity of passwords, changing password complexity, or changing password change frequency had no impact on employee actions.” The firm also found that “There was also no correlation between complexity, frequency, and quantity and how often users called the help desk with password-related issues. Seventy percent of enterprise users call the IT help desk once a year for help with a forgotten or missing password; 16% call two to three times a year; 9% call three to five times a year; and 5% call more than five times a year for password help.” The full report is usually available by subscription only, but the company has very kindly opened it temporarily for use by readers of this column. Based on a survey with 325 respondents, efforts at improving password management by ordinary users generally fail. Specifically, the same proportion of users (one out of three) keep a written record of their password regardless of the amount of: In my next column, I’ll look at how these findings relate to what cognitive psychologists know about our capacity to understand risk. Nucleus Research is an IT-related research organization that takes a unique investigative approach to its research and helps end-user organizations assess the value realized from technology acquisitions. To learn more, please visit its Web site. http://www.NucleusResearch.com My thanks to the company for opening its proprietary research report to readers. (I have no financial relationship whatever with Nucleus Research.)
|
| MOST-READ REVIEWS FOR THE PAST YEAR: 1. NAC alternatives hit the mark |
| Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. ARCHIVEArchive of the Security Strategies Newsletter. BONUS FEATUREIT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE International subscribers, click here. SUBSCRIPTION SERVICESTo subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007  |
No comments:
Post a Comment