Too many passwords
By J David Derosier
Owners of Information assets (computers, networks, phones) are concerned about providing security on the information these assets contain. The most widely used tools for providing Information Security are called Access Controls. These include the 4A’s: Authorization, Authentication, Access approval, and Audit.
When you are placed on some approved list and authorized to enter the asset, that’s called Authorization. When you enter your User Name the system looks to see if you actually are on the Authorization List. If so, then you have to enter a password to prove that it’s really you. Your password is already stored on the Authorization List so the system can check it against what you entered. If they match, Voila! You passed the Authentication test and are allowed in.
As you come in, the system gives you a virtual badge to wear that identifies what and where you may access now that you’re here. This is the Access Approval part of the process. And finally, the system records everything you do and stores it in an Audit Trail – the final part of the process.
Let’s focus on Authentication testing today, specifically passwords.
User Names and Passwords have been around almost forever. Think of guards organizing a lookout. When someone approaches the guard says, “Who goes there?” If the name given is ok, the guard says, “What’s the password?”
When the only computer you faced was at work, or perhaps one at home, keeping track of passwords was easy – one computer, one password; two computers then two passwords. Today, with the internet and smart phones, and websites and apps and credit cards, and untold other devices that require a password, the management of these access controls starts to get out of hand. There are just too many passwords!
Contrary to good security practice, it has become impossible not to write passwords down. It has also become close to impossible not to re-use passwords on different accounts.
And…too often users fail to recognize the difference in threats between accounts. For example, if you subscribe online to the Wall Street Journal, what is the threat to you if someone else logs into your account? Is it the same as if someone else logs into your bank account? I don’t think so. The threats to you are very different.
How you establish and use/reuse your password should reflect the threat posed by someone else getting your password and with it, access to your account.
Now think individuals vs. a machine; someone after YOUR data vs. a mass-attack against everyone’s data on the system.
The first one already knows things about you, like your address, or your birthday, or the names of your kids and spouse. They are trying to guess your password to gain access. In this case you want a complex password that makes it hard for a human to guess. Use words that are not in the dictionary, add symbols and numbers, some upper case letters. This type of password is good for the online newspaper account.
On the other hand, the mass-attack doesn’t really care about YOU; it’s going after whatever information is on that asset and has lots of horsepower to do it.
For your bank account you need a lot more protection. Not only is it a bigger loss to you, if it’s a mass-attack there’s a computer working at the speed of light (literally) to create the right combination of characters to match your encrypted password. In this case it’s not so much complexity and secrecy that matters as the length of your password. At least 16 characters long – like “MymotheristhebesT”.
So what should you remember about passwords? For a lower threat use a complex password. For the higher threat add length to the password. And if you really want the best protection, use both.
J David Derosier is a retired technology professional and worked for several years in a business that developed technology to prevent the use of cellular devices in restricted areas, without jamming. Prior to that he worked with Fortune-500 companies in Information Security (InfoSec) with a global focus on National Security. Today he consults with small business on planning and marketing issues, and provides web design and hosting services. He can be reached at JDAVID@Strategy-Planning.info.