Image: Scientific American
More In This Article
-
The Best Science Writing Online 2012
Showcasing more than fifty of the most provocative, original, and significant online essays from 2011, The Best Science Writing Online 2012 will change the way...
Read More »
Nobody seems to think much about passwords. After all, isn’t their purpose obvious? You need one on your bank account so that nobody else can use your money. You need one on your e-mail account so that strangers can’t find out your innermost thoughts.
But I was astonished when my daughter told me that her school has instituted a new security initiative. Student passwords must now be at least eight characters long, must contain letters, numbers and punctuation, and may not incorporate any recognizable English word. And the password must be changed every 30 days.
Can you guess what this password is meant to lock down? The fifth-grade homework-downloading Web page.
That’s right. All of that inconvenience, memorization and hassle is intended to make sure some disturbed maniac doesn’t read this week’s spelling list.
Then there’s the video production company I worked with recently, which hired a new tech guy. The first thing he did was to declare the company’s network to be unsafe. He decided that workers could no longer choose their own passwords; he would supply them. They would be 12 characters long and consist of alphanumeric gibberish, and they would have to be changed every month. He also blocked chat programs, e-mail attachments and YouTube.
They haven’t had any hacker break-ins—of course, they had never had any before, either. But there is a difference. Now the employees watch YouTube videos on their phones, use Gmail to get file attachments and keep their unmemorizable passwords on Post-It notes taped to the monitor. Nice going, Mr. Security.
My point, of course, is that while it’s important to be secure, it’s equally important to ask why—and to consider the trade-off between security and convenience. Obscure and harmless entities sometimes get locked up like Fort Knox, punishing nobody but the legitimate users. (Don’t even get me started on the Transportation Security Administration.) Other entities, such as Sony, Citibank and Lockheed Martin, are apparently not locked up enough. (Their computer systems were all hacked this past spring.)
It is actually possible to devise a system that ensures both security and convenience—if you’re smart. For example, if you reserve a room as a member of Omni Hotels’s Select Guest loyalty program, you can check in just by walking up to the counter and giving your name. They hand over your key and say, “Good evening, [your name here]. Have a great stay.”
They don’t ask for your ID. They don’t say, “May I have your credit card for incidentals?” They don’t tap on their keyboard for five minutes. They don’t ask you any questions. No interrogation of any kind. They have your key waiting, and they just hand it over.
How can they get away with such lax security? Couldn’t some ruffian pose as you, take your key and crawl into the bed in your hotel room?
It’s never happened in the history of the Omni’s Express check-in program. Why not? Because the ruffians don’t know who you are or that you’ve booked a hotel room. And if you ever did arrive and find some evildoer in your bed, you would be able to clear up the confusion pretty quickly by showing your ID.
Here’s another example: When you buy a program from Apple’s online Mac App Store, the program is downloaded and installed on your Mac automatically. You are not prompted for your system password, you don’t click through any installer screens, there’s no warning about software downloaded from the Internet. It’s the height of convenience.
Shouldn’t Apple be more worried about security? No, because it’s done some thinking. It controls both ends of the transaction. It’s not worried about viruses or malware, because it’s providing the software itself. It doesn’t have to ask you if you want to install the software—of course you want to (otherwise, why would you be buying it?).
See what we're tweeting about
8 Comments
Add CommentThere are several issues with this email. First off, lets separate known good practices from those practiced by the companies this author has had experience with. Passwords should be flexible enough that a user can type something in they can remember without post it notes yet implement enough randomness to throw off a hacker. Next you have to balance the cost of what you are protecting against the means to protect it, I always think, you don't want a $100,000 safe to protect $10,000. Finally you do not want to make the security so tight that people do not use the applications, you have to strike a happy medium.
Reply | Report Abuse | Link to thisThat being said, people go overboard. Just like in cooking where you really like a little spice on something so you think a lot of spice will make it taste a lot better, it is the same with security, you need to add just enough. Some people do not get this and throw everything and the kitchen sink at it.
One thing I have found is going to extremes in security can be equally dangerous, on one side leaving everything up to the users will cause huge security holes, as the author mentioned, leaving everything up the security people will cause people to access data elsewhere. One instance of going overboard, someone is poking around your web server, you see this and the knee jerk reaction is the pull the plug, well guess what that person just successfully implemented a Denial of Service attack on you and assuming he/she did not do anything wrong to that point he/she will get away scot free.
Lastly, don't be to quick to judge all the simplicity with Apple as a good thing. First off, Apple does not have a majority of market share, it is growing like crazy but is just now starting to become the focus of hackers, so Apple security is still untested. Second, think of this, Apple controls both ends of the transaction, what does this mean? It means that if one thing is compromised at Apple, like it's CA Private cert a hacker then can gain complete access to all Apple devices. Now you may say it is really well protected, but think of this, a criminal organization bribes an Apple employee for $20 Million for the private key, they get it and to the Criminals it is worth billions because now not only do they have access to all the Apple devices but also can decrypt all those "secure" credit cards etc. being sent to Apple store from all those compromised devices.
My point is, there is no perfect way to implement security, everything has it's drawbacks even if they are not readily apparent.
I agree with both the premises put forth by David and the comment by the responder blittrell. The example of the admin who blocks everything is overly restrictive and draconic and will ultimately hurt productivity - users will find a way around your administrative blocks. The question is what makes the best sense for the environment. The school - OMG - that was funny.
Reply | Report Abuse | Link to thisBut I am the Director of IT for an environment that doesn't really enforce a password policy at this time and some of my users have had the same password for the past 2 1/2 years - so what makes the best sense to protect the company assets, while not becoming a nuisance or problematic from the end users perspective nor the IT management of said policy.
Also - not - that in your article (in the magazine, which brought me here) you mentioned you don't need a password to purchase from the Mac app store? I might be doing something wrong... but my purchase requires a password to start the purchase, but you are right with the rest of the process - the vetting of the product by Apple and subsequent placement on the Mac Store give it cart blanche on your system allowing for effortless installations. Nice touch.
Soon enough, I will be putting in a password policy, but don't need something nearly as restrictive as you gave examples of - a simple password policy that requires the user to change their password every 6-9 months, is better than nothing. Better yet - Smartcards, or tokens for authentication... erh... maybe not.
Forgot to mention I am in charge of a school Districts network. Although changing the password every 30 days with randomized 8 digit password is very extreme there is good reason to lock down the accounts. First reason, kids are getting more computer savvy at a younger age so it is not uncommon to see students login as other students and use that to cheat. Another good reason is that a lot of educational software is really very bad at security and often times requires full file permissions to work, so a student can login and delete the entire program. The only defense is to enforce individual logins, after the first few students getting called in it stops. More then that though the students that use network access to share video games and tend to not listen to teachers while they play halo or some other free downloadable game. Sure they can play games on their phones but we can not do anything about that.
Reply | Report Abuse | Link to thisAs far as security, we assign random 5 digit student passwords and that stays with the student from K-12, unless there is an issue, like a teacher prints the list and passes it around the class. Teachers and admins however have a stricter policy that requires a longer password and is changed every 6 months. Even with this we still have complaints from teachers but compared to industry it is pretty lax.
FYI, Schools do have sensitive information, so sensitive that laws require encrypted transmission of that information. So I know from an outsider it may look like your protecting Janes homework but in reality schools can get into big trouble if certain information is exposed.
Mr. Pogue's comments are of course, full of common sense. However, to return to the comments about schools and the sysadmin overkill described by Mr Pogue, it's helpful to remember that kids (adults, too, but that's another issue) don't know or care AT ALL about cybersafety. They will use the same password for every possible website login AND share it with their friends. Let's hope the school has some some thoughtful presentations and discussions about *why* passwords are necessary in the first place... otherwise the kids will just see the school's requirement as just another pain, and delight in bypassing it.
Reply | Report Abuse | Link to thisAs an educational add-on to the school's password rules mentioned early in the article, nothing is said about making the password strings into foreign language words or the numbers into something useful in a mathematics lesson. Or some other instructionally-related activity resulting in a new password. Then, at least, every 30 days the new password wouldn't be completely random. Every teacher I know would be able to make a fun activity about this sort of thing within 5 minutes!
I was thinking to wwrite a long comment for this but I will go short. It's funny how to different, and maybe for most people, articles in this magazine are related. One i s this and the other one is and the other one is "After Shock and Awe". Besides al the above mentioned, this is another way to pour some water in the seed of paranoia that the U.S and its economical, social, expansionist (and you know all the rest) politics and economics do every single day. The creation of fear to justifi thing like the ones expressed in the article "After Shock and Awe" and of course its revolting consecuences.
Reply | Report Abuse | Link to thisWake up.
Errata: when I wrote "and maybe for most people", should have been "and maybe for most people it is not the case"
Reply | Report Abuse | Link to thisPouge makes an excellent point about excessive password protection on resources of limited value. It took me 45 minutes to login and verify my password to SA on a slow link - and the cost of an impostor posting this note isn't that large.
Reply | Report Abuse | Link to thisThe other end of the spectrum is of more concern. Two months ago, an impostor gained access to my bank account online. That account had common aggregation software that permits collection of balances from my IRA and other bank accounts - thus the original account holds passwords to other accounts. The impostor used that information to change e/mail addresses on other accounts, potentially taking my life savings.
I immediately changed all the passwords. Three weeks later, the impostor (or a different one) used my Mother's Stepmother's first name to repeat the process. I had used this name in place of the more common Mother's maiden name - changing the answer but not the question.
Clearly, I told no one of the substitution. My Mother's Stepmother's first name is not common.
Passwords are not sufficient to protect high value resources. They can be compromised by several means, including a potential insider.
Some banks now provide a key fob that generates a one time password that lives for one minute or less and is never reused. Such a device ("what you have") provides a significant level of protection beyond what can be provided by passwords ("what you know").
These fobs are essential for protection of high value resource such as my life savings.
It is also possible to use fingerprint recognition devices ("what you are") or retinal scanners to provide
a nearly unbreakable level of security.
I agree with Pogue that organizations protecting resources of limited value (such as posting to a SA blog) should use limited strength passwords. It is, however just as important to encourage people to not use password protection for high value assets, insisting (my moving their accounts) on "what you have" key fobs or "what you are" fingerprint recognition.
Both are inexpensive (about $20), available, and quite secure. /Stu
Excellent tips.Really useful stuff .Never had an idea about this, will look for more of such informative posts from your side.. good job...Keep it up
Reply | Report Abuse | Link to this<a href=" http://alarmsouth.wordjack.com/info" rel="do-follow"> Fire Alarms</a>