My stance on passwords is well known – “Passwords are secure, people managing them aren’t.” Whenever I make this claim, some computer security pundits vehemently disagree with me. They bring up technologies like PKI, digital certificates, and all the advanced hardware technology, encryption algorithms and infrastructure. Their arguments are true, but why is all this advanced security technology needed? Answer: to protect the cryptographic keys. Read More→
The Great Password Question That Won’t Die, “Just how long should a password be?”
In one of my LinkedIn discussion groups, a member, who we will call MB, posted this simple question back on March 14, 2010: “How long should a password be?” Well as of 11/11/11 and over 1,350 comments later, the discussion keeps going and going and going. It seems to have gained a life of its own. And while I can’t say I have read every comment, I did read enough to pick out some common themes, beliefs and suggestions that I will attempt to summarize in this article.
Observation 1: There is no right answer to the length.
This is probably true, at least if one looks at the problem from a single point of how long a password should be. As computers get faster and faster, and there are cyber attacks that can share unused processing power from a whole network of unknown computers (Botnets), the time it takes to crack 8, 9, 10 character passwords gets shorter and shorter. So length alone is not the fix to password security. Read More→
McAfee recently revealed that 72 different organizations around the world have been victims of cyber-spying. With attacks likely to increase, it is important to note that strengthening your access controls ensures that you have a higher level of security for all those who are attempting to access the network.
However, PKI is not the panacea that some hope it would be, and the death of passwords is greatly exaggerated. From a security perspective PKI is without a doubt the best, but when it comes to high cost of ownership, time consuming implementations and specialized support staff here as well PKI wins.
Passwords are free and very easy to control, but the weakness is not in passwords but rather how people choose them, manage them and types them. Almost every breach that involved passwords was not because of passwords but because of the password used by the individual. It is no wonder that accounts and companies are getting hacked through passwords especially when IT keeps making password security more burdensome on the user. Employees are being forced to write them down, come up with easy ones to remember and use the same ones everywhere. If security is cumbersome, employees will always circumvent it for their own convenience. That is a fact. Read More→