“My voice is my passport, verify me.” Quick, name the movie that’s from…. That phrase was used as a voice identification password in a movie a few years back, and it’s stuck with me. Passwords are interesting things in and of themselves, we rely on them so much for our digital lives that the very complex and nebulous world of information security is often boiled down into the simplistic rule of good security equals good passwords. But is that all there is? Is your online banking account secure if you use W+UwRe!AYach3su* as your password? Sure it is, unless your spouse, your child, or someone other than you, and only you, have access to it. This is one of the areas where there is so much confusion, most of it generated by ill given advice on account management, it creates a less secure environment while making the user think they are doing exactly the opposite. Like spotting counterfeits, it’s easier to see the pitfalls if you look at correct examples first, so here’s a few rules of thumb that can get you started.
One entity equals one account. The more people or systems that share access, the less secure that system will be. For a long time we’ve heard the advice “rename or disable the Administrator account” and I’ve seen plenty of organizations that do just that. Administrator becomes Myadmin or something like that. Bob, Steve, and Jim in the IT department share that account and password; because they are the administrators, so how do you know who did what? You can’t. Allowing their named accounts access to an Administrators group gives them the access that they require to perform their functions, but also provides the accountability to demonstrate who has done what.
Passwords don’t have to be gibberish to be strong. You’d have to have an amazing memory, or very creative mnemonic to remember the password example given earlier. Most people don’t so they tend to use passwords they can remember like birthdays, their children’s names, addresses, or something that is both easy for them to remember and easy for them to type. If it’s more complex than that, they often will write it down….on a sticky note… stuck to their monitor. Good bye password security. Here’s an easy solution: train your users to forget passwords and train them to use passphrases that adhere to complexity requirements. It creates a longer string, with non- alphanumeric characters, and it’s easier to remember.
More technical does not mean stronger. RSA tokens, biometrics, and other multiple factors are only as strong as the controls around them. If you have implemented, or plan to implement two or three factor mechanisms, don’t be lulled into a false sense of security generated by marketing hype. I love the RSA tokens. They are very effective and aren’t that hard to deploy, but the learning curve can be steep for end users. While biometrics truly identify the user is who they say they are, some consumer grade biometrics can be easily defeated with something as simple as rubber cement. And both could be subject to man-in-the-middle or replay attacks.
The bottom line: Passwords are your first line of account security. Make them strong and make them long. Monitor failed logins to identify patterns. Finally, don’t rely on a technical controls alone.
Oh the movie? Sneakers, 1992. By the way… what’s the password on your NetFlix account?