Law #5: Weak passwords trump strong security

The purpose of having a logon process is to establish who you are. Once the operating system knows who you are, it can grant or deny requests for system resources appropriately. If a bad guy learns your password, he can log on as you. In fact, as far as the operating system is concerned, he is you. Whatever you can do on the system, he can do as well, because he’s you. Maybe he wants to read sensitive information you’ve stored on your computer, like your e-mail. Maybe you have more privileges on the network than he does, and being you will let him do things he normally couldn’t. Or maybe he just wants to do something malicious and blame it on you. In any case, it’s worth protecting your credentials.

Always use a password—it’s amazing how many accounts have blank passwords. And choose a complex one. Don’t use your dog’s name, your anniversary date, or the name of the local football team. And don’t use the word “password”! Pick a password that has a mix of upper- and lower-case letters, number, punctuation marks, and so forth. Make it as long as possible. And change it often. Once you’ve picked a strong password, handle it appropriately. Don’t write it down. If you absolutely must write it down, at the very least keep it in a safe or a locked drawer—the first thing a bad guy who’s hunting for passwords will do is check for a yellow sticky note on the side of your screen, or in the top desk drawer. Don’t tell anyone what your password is. Remember what Ben Franklin said: two people can keep a secret, but only if one of them is dead.

Finally, consider using something stronger than passwords to identify yourself to the system. Windows 2000, for instance, supports the use of smart cards, which significantly strengthens the identity checking the system can perform. You may also want to consider biometric products like fingerprint and retina scanners.

I realize tonight it’s been while since my continuing saga/comments of the “10 Laws of Security” and time to have law number 6.  When I realized it was about passwords, I nearly busted out laughing because of all the newsreports in the last week about the horror of Dr. Jesper Johansson saying “write down your passwords” at AUScert while this law in black and white says:

“Under penalty of death, dismemberment, and major suffering ..never ever ever write down your password“

After the slashdotting of “Microsoft security guru says to write down your passwords”, lets think about what he’s trying to tell us….

Passwords totally suck as an authentication tool.

Okay so maybe that’s my interpretation of what he said, but they do because we make them suck.  It is the first line of defense and yet look what we humans do…we pick the lamest, most stupid passwords.  We say that we can’t use more difficult ones because they are hard to remember… and that’s Dr. J’s point… because our brains only hold so much info [on some days I swear my brain quota is set too low] we are going to pick a password that we can remember.  That in turn leads us to a password that just is not appropriate for the data we are protecting.

Two factor authentication?  What about biometrics?  Well great in theory but again, suck in deployment.  What if you need to deploy another digit? 

I would like to see our Remote Web Workplace to have two factor authentication in the future.  I’m totally cool with the risks of it ‘at this time’ but there’s the key…I’m confortable with the risks … ‘at this time’.  I may not be so in the future.  There are times that having that second ‘what you have’ along with ‘what you know’ would go a long way to help protect our most sensitive business assets.


Comments are closed.