Tuesday, September 21, 2010

The Pit and the Password Pendulum

via Risks-Forum Digest Monday 20 September 2010 Volume 26 : Issue 17
"The discussion about overly complex password rules reminds me of sage advice that Digital once published in a VAX security manual. I'll paraphrase: The definition of security must be broad. Security aims to see that authorized users, and only authorized users, succeed in doing their jobs.

The modern definition of computer security seems much narrower. It focuses on preventing unauthorized uses, and malware. If security procedures hinder authorized users from doing their jobs, security still succeeds under the narrow definition, but fails under Digital's broader definition.

An onerous password policy is a form of denial of service attack. 

Might things improve if we made security people responsible for productivity of the good guys as well as denial of the bad guys?"

--------

Also…
An additional irony of keyloggers is that the bad guys can typically see your password better than you can, since they don't have every character replaced by a black blob. Only a very few programs (7-Zip, when asking for a password on a protected archive, springs to mind) allow you to check a box to say "I do not fear Tempest scanning, and there is nobody else in the room. Please let me see this password as I type it." 

To impose passwords like fH%JK43-oe9 and then prevent people from seeing what they're typing is just sadism. It must cost millions per year in password reset costs, even with automated delivery of new passwords to e-mail addresses. 

I've added this functionality to the Web applications which I maintain. I suggested its addition to a site which I use frequently, where I have contact with the development team, and which has no major, banking-style security issues. Their reply was, "We've decided not to do this, because it's not an industry-standard practice". 

Review your password policy. Make some innovative improvements. The easier it is for employees to use, the more effective it will be. Here is your mantra for the day, "Death to passwords on sticky notes." Come on, say it!