Humans are the weakest link in many security chains. Passwords demonstrate this problem very clearly. Human fallibility means that passwords can be compromised between usability and security and the typical balance that’s found can be both unusable and insecure.
Unless you’ve taken considerable pains to educate your staff otherwise, they will generally choose poor quality passwords. Not content with choosing poor passwords in the first place, users will then undermine security further by sharing and writing them down as often as possible.
Software developers implement increasingly complex sets of password rules to try and force users to choose difficult to guess passwords. However, users will find ingenious ways of ensuring their passwords are completely guessable.
Password Controls |
Typical user reaction |
|---|---|
| None / Minimum Length | Use a really obvious password, their own name, name of favourite child, 123456 or xxxxxxx. |
| No dictionary words | Telephone numbers, number plates, swapping letters for numbers. |
| Enforced password changes | Around 90% of users we interviewed admitted that if you knew one of their passwords you could guess the scheme they were using. Think ‘Passw0rdJan’, ‘Passw0rdFeb’ etc. |
| Must include a number and upper and lower case characters | Password1 etc. |
Even trained IT engineers, who should know better, choose awful passwords. Some of them somehow believe that confusing the name of the company with a few numbers and using the shift key in odd places makes for a secure password. Well, it might help if everyone else didn’t think that way too. “Pa55w0rd” may be difficult to look at but it’s still not hard to guess.
The addition of further password controls are not going to improve security either. We’ve been developing them since the 1970s and it’s still not helping. The underlying human factors need to be addressed instead because:
- Users don’t believe it’s important to choose secure passwords.
- Users don’t know how to choose and manage a secure password.
Why passwords matter
Getting users to choose good passwords is a two-stage process. First, you have to make them believe they should have secure passwords. Second, you need to give them the tools and techniques they require to do so.
Getting users to believe involves building a little bit of a security culture. They must be persuaded that security is important; this means believing it yourself and having users’ managers believe that security is important.
One of the common responses from users when you ask them why they picked a terrible password is: “I don’t mind who sees my data.” Well, their data may include confidential customer details or trade secrets. They need to understand that they are protecting both the company’s business and personal information, and that they have a responsibility to do so.
Techniques for choosing and managing secure passwords
Choosing and managing a good password is not a skill taught at school, although perhaps in this Internet age it should be. You should consider providing guidance to users when they join the company and the occasional refresh for users who are already in the business.
Password guidance should cover:
- Why should I choose a secure password?
- Should they write their password down?
- Where should they write it down?
- How can I choose a secure password I can remember?
- What’s secure enough?
- Should I ever tell anyone my password?
- On what systems should I use my password?
Users who have to use a large number of passwords should consider using a reputable password management tool to help store them. The free tools listed below allow you to generate, store and retrieve passwords easily – essential for anyone who has to manage several as part of their job. Do ensure you choose a good strong master password though.
| Password Tools | ||
|---|---|---|
KeePass |
Dominik Reichl's open-source tool |
|
| Password Safe | Bruce Schnier’s classic | More info |
| Gorilla | Cross-platform tool: runs on Linux, Solaris, BSD, Windows, Mac OS X | More info |
One of the classic good schemes is to think of a phrase and use the first letter of each word to help form the password. You could, for example, use, ‘Quite frankly, this whole password thing is a pain!’ So the password would be ’Qftwptiap!’ The phrase remains firmly lodged in your head if you pick a silly enough one. Anyone looking over your shoulder is going to struggle to work it out.
Alternatives
Passwords are good enough in an office environment where there are a limited number of people in the office – in security jargon the ‘attack population’ is small. If you left one of the office computers accessible from the street, though, you’d get a lot more people trying to guess the password. And, worse still, if you make the computer accessible from the Internet, your possible attack population swells to nearly a billion people. So avoid, if possible, using password authentication to access internal systems from the Internet.
It’s considered best practice to use some type of dual-factor authentication when accepting remote access connections from the Internet. The two factors are something you know (the password) and something you have (the device).
RSA’s SecurID product is one of the most popular and secure systems; the number on the device changes every minute, seemingly randomly. Users have to enter both the password and the number on the device at the password prompt.
When a user accidentally gives away a password, they still have it and they may not even be aware that they need to change it. If a user loses their token, though, they need to ask for a new one and you can disable the original. Only allow a user to have one token enabled at any time. Although it’s convenient to have one at home and one at work, you defeat the system by doing this. Another benefit of dual-factor authentication is that when an employee leaves you no longer have to change the password; you simply deactivate the token.
In summary
Passwords are generally ineffective without the right controls and management being put in place, and even then it won’t stop someone trying to hack your system. Also, unless you educate users, then passwords become redundant. The most effective alternative is to opt for a two-factor solution that has two levels of protection. For example, some banks offer this more secure service to businesses to handle their accounts online. They have to insert not just a password but use their security device before they can gain access to their account.
THUS, in conjunction with Signify, now offers a full range of fully managed secure authentication and identity management services to help organisations, including a managed SecurID service. For more information, download the product sheet.