Whether you’re an administrator, designer or consumer, in other words, it’s worth putting some thought into the security/convenience trade-off. Passwords have their place—but it’s not every place.
This article was originally published with the title Password Prevented.
Subscribe
Buy This Issue
Already a Digital subscriber? Sign-in Now
If your institution has site license access, enter here.
Already a Digital subscriber? Sign-in Now
If your institution has site license access, enter here.
See what we're tweeting about
8 Comments
Add CommentThere are several issues with this email. First off, lets separate known good practices from those practiced by the companies this author has had experience with. Passwords should be flexible enough that a user can type something in they can remember without post it notes yet implement enough randomness to throw off a hacker. Next you have to balance the cost of what you are protecting against the means to protect it, I always think, you don't want a $100,000 safe to protect $10,000. Finally you do not want to make the security so tight that people do not use the applications, you have to strike a happy medium.
Reply | Report Abuse | Link to thisThat being said, people go overboard. Just like in cooking where you really like a little spice on something so you think a lot of spice will make it taste a lot better, it is the same with security, you need to add just enough. Some people do not get this and throw everything and the kitchen sink at it.
One thing I have found is going to extremes in security can be equally dangerous, on one side leaving everything up to the users will cause huge security holes, as the author mentioned, leaving everything up the security people will cause people to access data elsewhere. One instance of going overboard, someone is poking around your web server, you see this and the knee jerk reaction is the pull the plug, well guess what that person just successfully implemented a Denial of Service attack on you and assuming he/she did not do anything wrong to that point he/she will get away scot free.
Lastly, don't be to quick to judge all the simplicity with Apple as a good thing. First off, Apple does not have a majority of market share, it is growing like crazy but is just now starting to become the focus of hackers, so Apple security is still untested. Second, think of this, Apple controls both ends of the transaction, what does this mean? It means that if one thing is compromised at Apple, like it's CA Private cert a hacker then can gain complete access to all Apple devices. Now you may say it is really well protected, but think of this, a criminal organization bribes an Apple employee for $20 Million for the private key, they get it and to the Criminals it is worth billions because now not only do they have access to all the Apple devices but also can decrypt all those "secure" credit cards etc. being sent to Apple store from all those compromised devices.
My point is, there is no perfect way to implement security, everything has it's drawbacks even if they are not readily apparent.
I agree with both the premises put forth by David and the comment by the responder blittrell. The example of the admin who blocks everything is overly restrictive and draconic and will ultimately hurt productivity - users will find a way around your administrative blocks. The question is what makes the best sense for the environment. The school - OMG - that was funny.
Reply | Report Abuse | Link to thisBut I am the Director of IT for an environment that doesn't really enforce a password policy at this time and some of my users have had the same password for the past 2 1/2 years - so what makes the best sense to protect the company assets, while not becoming a nuisance or problematic from the end users perspective nor the IT management of said policy.
Also - not - that in your article (in the magazine, which brought me here) you mentioned you don't need a password to purchase from the Mac app store? I might be doing something wrong... but my purchase requires a password to start the purchase, but you are right with the rest of the process - the vetting of the product by Apple and subsequent placement on the Mac Store give it cart blanche on your system allowing for effortless installations. Nice touch.
Soon enough, I will be putting in a password policy, but don't need something nearly as restrictive as you gave examples of - a simple password policy that requires the user to change their password every 6-9 months, is better than nothing. Better yet - Smartcards, or tokens for authentication... erh... maybe not.
Forgot to mention I am in charge of a school Districts network. Although changing the password every 30 days with randomized 8 digit password is very extreme there is good reason to lock down the accounts. First reason, kids are getting more computer savvy at a younger age so it is not uncommon to see students login as other students and use that to cheat. Another good reason is that a lot of educational software is really very bad at security and often times requires full file permissions to work, so a student can login and delete the entire program. The only defense is to enforce individual logins, after the first few students getting called in it stops. More then that though the students that use network access to share video games and tend to not listen to teachers while they play halo or some other free downloadable game. Sure they can play games on their phones but we can not do anything about that.
Reply | Report Abuse | Link to thisAs far as security, we assign random 5 digit student passwords and that stays with the student from K-12, unless there is an issue, like a teacher prints the list and passes it around the class. Teachers and admins however have a stricter policy that requires a longer password and is changed every 6 months. Even with this we still have complaints from teachers but compared to industry it is pretty lax.
FYI, Schools do have sensitive information, so sensitive that laws require encrypted transmission of that information. So I know from an outsider it may look like your protecting Janes homework but in reality schools can get into big trouble if certain information is exposed.
Mr. Pogue's comments are of course, full of common sense. However, to return to the comments about schools and the sysadmin overkill described by Mr Pogue, it's helpful to remember that kids (adults, too, but that's another issue) don't know or care AT ALL about cybersafety. They will use the same password for every possible website login AND share it with their friends. Let's hope the school has some some thoughtful presentations and discussions about *why* passwords are necessary in the first place... otherwise the kids will just see the school's requirement as just another pain, and delight in bypassing it.
Reply | Report Abuse | Link to thisAs an educational add-on to the school's password rules mentioned early in the article, nothing is said about making the password strings into foreign language words or the numbers into something useful in a mathematics lesson. Or some other instructionally-related activity resulting in a new password. Then, at least, every 30 days the new password wouldn't be completely random. Every teacher I know would be able to make a fun activity about this sort of thing within 5 minutes!
I was thinking to wwrite a long comment for this but I will go short. It's funny how to different, and maybe for most people, articles in this magazine are related. One i s this and the other one is and the other one is "After Shock and Awe". Besides al the above mentioned, this is another way to pour some water in the seed of paranoia that the U.S and its economical, social, expansionist (and you know all the rest) politics and economics do every single day. The creation of fear to justifi thing like the ones expressed in the article "After Shock and Awe" and of course its revolting consecuences.
Reply | Report Abuse | Link to thisWake up.
Errata: when I wrote "and maybe for most people", should have been "and maybe for most people it is not the case"
Reply | Report Abuse | Link to thisPouge makes an excellent point about excessive password protection on resources of limited value. It took me 45 minutes to login and verify my password to SA on a slow link - and the cost of an impostor posting this note isn't that large.
Reply | Report Abuse | Link to thisThe other end of the spectrum is of more concern. Two months ago, an impostor gained access to my bank account online. That account had common aggregation software that permits collection of balances from my IRA and other bank accounts - thus the original account holds passwords to other accounts. The impostor used that information to change e/mail addresses on other accounts, potentially taking my life savings.
I immediately changed all the passwords. Three weeks later, the impostor (or a different one) used my Mother's Stepmother's first name to repeat the process. I had used this name in place of the more common Mother's maiden name - changing the answer but not the question.
Clearly, I told no one of the substitution. My Mother's Stepmother's first name is not common.
Passwords are not sufficient to protect high value resources. They can be compromised by several means, including a potential insider.
Some banks now provide a key fob that generates a one time password that lives for one minute or less and is never reused. Such a device ("what you have") provides a significant level of protection beyond what can be provided by passwords ("what you know").
These fobs are essential for protection of high value resource such as my life savings.
It is also possible to use fingerprint recognition devices ("what you are") or retinal scanners to provide
a nearly unbreakable level of security.
I agree with Pogue that organizations protecting resources of limited value (such as posting to a SA blog) should use limited strength passwords. It is, however just as important to encourage people to not use password protection for high value assets, insisting (my moving their accounts) on "what you have" key fobs or "what you are" fingerprint recognition.
Both are inexpensive (about $20), available, and quite secure. /Stu
Excellent tips.Really useful stuff .Never had an idea about this, will look for more of such informative posts from your side.. good job...Keep it up
Reply | Report Abuse | Link to this<a href=" http://alarmsouth.wordjack.com/info" rel="do-follow"> Fire Alarms</a>