I read a recent article in the Atlanta Journal-Constitution that discussed password overload or password-itis. Based on a survey of several thousand users they documented the habits and number of passwords for these respondents. Working in a security role I could quickly relate to the issues caused by complex passwords. Discussing the article over lunch, many solutions to the issue were presented, but none would solve the issue.
We not only have passwords for our business applications, there are private mail accounts, internet service providers, cell phones, answering machines, voice mail, bank pin codes, online banking, online brokerage, insurance, payroll, taxes, blog accounts, discussion forums and more. These applications use different lengths, some require special characters, others only allow numbers, some convert everything to upper case and others using mixed case. With many different rules, there is not a single solution. Single sign on may solve some of your work related password issues, but many information protection policies require stronger passwords or possibly additional factors of authentication. I have witnessed both IT and business users that document their passwords in a single spreadsheet and then password protect the document.
Talk about risk, if you could hack the spreadsheet password, you could potentially gain access to every protected application for this user. Even though you have password policies for your corporate standards, these do not apply to the random use in a spreadsheet. Of course, once the user prints the password worksheet, the password requirement is completely blown. Working in IT I have seen these on memo boards, under keyboards and even unattended at the printer.
Our information protection policy requires even longer passwords for administrator access. The increased length is supposed to lower the chance of hacking and reduce risk, however many of these are also maintained in spreadsheets. I believe these password policies are creating stronger security, but along with the solution other risks are be exposed in the environment. Is there an answer?
Some vendors and companies are betting on biometrics. Are these technologies mature? They look cool in movies and on television, but do they also come with risks. If you watch Mythbusters, The Science Channel, or the clips from these movies on You Tube (http://www.youtube.com/watch?v=XC9GfkljK60 ) you will see that even biometrics has flaws.
I guess for today we will continue to add additional length, mixed case and special characters to reduce risk. Tomorrow is only a day away but maybe someone will deliver security methods that increase security and lower risk. In the end, from the Egyptian pyramids to present day there have been people trying to protect assets. During this same time there have also been hackers that attempt to break the codes. If we have not solved this in 3000 years, I do not think it will be solved this year either.