Skip to Content

I read a recent article in the Atlanta Journal-Constitution that discussed password overload or password-itis.  Based on a survey of several thousand users they documented the habits and number of passwords for these respondents.  Working in a security role I could quickly relate to the issues caused by complex passwords.  Discussing the article over lunch, many solutions to the issue were presented, but none would solve the issue.

We not only have passwords for our business applications, there are private mail accounts, internet service providers, cell phones, answering machines, voice mail, bank pin codes, online banking, online brokerage, insurance, payroll, taxes, blog accounts, discussion forums and more.  These applications use different lengths, some require special characters, others only allow numbers, some convert everything to upper case and others using mixed case.  With many different rules, there is not a single solution.  Single sign on may solve some of your work related password issues, but many information protection policies require stronger passwords or possibly additional factors of authentication.  I have witnessed both IT and business users that document their passwords in a single spreadsheet and then password protect the document.

Talk about risk, if you could hack the spreadsheet password, you could potentially gain access to every protected application for this user.  Even though you have password policies for your corporate standards, these do not apply to the random use in a spreadsheet.  Of course, once the user prints the password worksheet, the password requirement is completely blown.  Working in IT I have seen these on memo boards, under keyboards and even unattended at the printer.

Our information protection policy requires even longer passwords for administrator access.  The increased length is supposed to lower the chance of hacking and reduce risk, however many of these are also maintained in spreadsheets.  I believe these password policies are creating stronger security, but along with the solution other risks are be exposed in the environment.  Is there an answer?

Some vendors and companies are betting on biometrics.  Are these technologies mature?  They look cool in movies and on television, but do they also come with risks.  If you watch Mythbusters, The Science Channel, or the clips from these movies on You Tube (http://www.youtube.com/watch?v=XC9GfkljK60 ) you will see that even biometrics has flaws.

I guess for today we will continue to add additional length, mixed case and special characters to reduce risk.  Tomorrow is only a day away but maybe someone will deliver security methods that increase security and lower risk.  In the end, from the Egyptian pyramids to present day there have been people trying to protect assets.  During this same time there have also been hackers that attempt to break the codes.  If we have not solved this in 3000 years, I do not think it will be solved this year either.

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Ethan Jewett
    At this point, in an enterprise setting, it seems to me that the technology exists for an enterprise to implement a central account management system that manages authentication for all enterprise systems. So it is quite possible to only require a user to remember a single password for all corporate systems. The fact that pretty much nobody does this may say something about the cost-benefit of such systems, but I think it speaks more to the general approaches that lead security groups to make decisions that lower security against certain types of attacks as opposed to others.

    Let’s take writing down passwords as an example. I’m a reader of Bruce Schneier – second only to Chuck Norris as a source for security advice. 😉 One of the counter-intuitive pieces of advice he gives is that it is better to choose a hard password and write it down than to choose a password that you can remember (which for most people is a pretty simple password). The reason for this piece of advice (on my read) is that it cuts down on the possibility of account compromise due to a database of hashed passwords being stolen. A good password will be pretty impervious to rainbow table attacks or other brute-force attacks. But this approach leaves the user more open to targeted attacks aimed at getting the written password, which might be more of a concern in an enterprise environment.

    My general impression is that if corporate security groups did a better job of explaining why password requirements exist, then people would be more compliant about managing their passwords and further, would be able to make smarter decisions in contexts that the security group has not considered. But as it is, I’ve never seen an enterprise security group communicate anything about the threat model they are trying to address. Generally, security groups just tell users to do stuff and the users ignore them as much as possible because they see security requirements only as an inconvenience and not as providing any value. Definitely not a recipe for a secure enterprise.

    Cheers,
    Ethan

    (0) 
  2. Greg Capps Post author
    We do have enterprise solutions, but not all applications even within our control can be setup the same.  Some vendors have agreed to work with us and have plans to allow more complex passwords and prior authentication tokens.  However others do not have any desire to do so. 

    I agree with many of your comments, but from a risk perspective if a user writes the password down and leaves it in plain site there is no security control.  I believe we need to spend more time educating users on why security is important and how to protect not only the company assets but their own. 

    (0) 
    1. Ethan Jewett
      Hi Greg,

      I assume that this was in response to me. Looking back at my comment, there seems to be a leap of logic in there that I can’t quite follow at the moment, so apologies if it didn’t make any sense. But it seems you’ve taken my meaning.

      The security area is relatively mysterious to me. Would you be able talk a little more about the struggles you have integrating different vendor systems into a single authentication management system?

      Maybe you could also explain a little bit about what you mean when you say “security control”. It seems to me that there are still a lot of security controls around passwords that are written down, though they are mostly physical access controls (locked office, key-card for building, secured campus). I’d be really interested to hear more about how security groups like yours think through threat models and protect against them.

      Cheers,
      Ethan

      (0) 
  3. Tom Cenens
    Hello Greg

    For me a RSA token is one of the better options to create stronger security compared to complex passwords. What is your opinion on the use of RSA tokens?

    I have to do a hand scan + badge in the early morning to be able to enter the building.

    Kind regards

    Tom

    (0) 
    1. Greg Capps Post author
      I prefer using two factor authentication instead of increasing password length or complexity.  Supplying the token plus a secret pin to create a key is very useful.  However, you use passwords in many applications from many different companies.  Using tokens within your domain greatly increases the likelihood that you are who you say you are.  Once you get outside your domain or span of control, these tokens are of little value.  Several years ago there were companies working to bridge companies and applications with shared tokens.  This acceptance of prior authentication has limited acceptance across all of the applications that you use.  Maybe this is an opportunity for someone to create a real service based on this need. 
      (0) 

Leave a Reply