Wednesday, December 07, 2005

How to create better passwords - why bother?!

I have recently came across a practical article on how to create a better passwords, couresy of CSO Magazine. It reminded me of how many times I find myself actually getting into the science of passwords maintenance and creation in order to enforce real-life, cost-effective scenarios, while on the other hand, get myself seriously concerned on how easy it is to have your accounting data abused!

During the years I have written several articles, like this one - Creating and Maintaining Strong Passwords, mainly with the idea to actually provide a pragmatic approach on tackling weak, and prone to be cracked passwords. The result, at least from a sniffing point of view *grin* was that most of my friends lacking security knowledge, were indeed getting concerned by their easy to guess passwords. Later on, they were turning them into entire passphrases with the idea to avoid not having them cracked. That's an example of a "false feeling of security".

And while it was a progress compared to how predictable their passwords really were, strong passwords doesn't address the following issues that I later on covered in another article - Passwords - Common Attacks and Possible Solutions, namely, passwords can be :

- Sniffed
- Recovered
- Unintentionally shared
- Keylogged
- etc.

Recently, both from a CSO's point of view, and the financial industry, two factor authentication, has been gaining a lot of acceptance, in my opinion primary because of its tangibility. It greatly improves the authentication process, given the integrity of the system, and the network itself. And while from an organization's or bank's point of view providing tokens to the entire work force would represent a huge investment, I strongly feel prioritizing in respect to important customers, and executives will play an important role.

On October 12, 2005, the Federal Financial Institutions Examination Council, released its Guidance on Authentication in Internet Banking Environment, thereby enforcing the use of advanced, compared to passwords based only, authentication approaches.

Would it work? I doubt so, but it limits the age-old attacks we are so used to seeing in respect to passwords.

Bruce Schneier has been discussing the dangers of the two factor authenticaion buzz, and as far as online banking is concerned, Candid W├╝est has written a very good paper on Today's threats to online banking, namely the techniques discussed fully apply to any type of authentication. Passwords are out of the topic, even two factor authentications has its good and bad sides to it comes to end users' awareness, implementation and configuration.

What are the practical alternatives these days?

Password Safe is a bit unpractical(still works for lots of people out there) in today's interconnected world, namely, a HDD crash for instance would cause a lot of trouble to everyone, let's not mention the "availability" of the data. Just1Key seems to solve this problem to a certain extend. I also recommend you verify the strenght of your passwords by taking advantage of the Password Strenght Meter ComputerWeekly, are also running an article "Security : have passwords had their day?", they sure haven't, at least not on a large scale, the way I've always wanted to see it - One Time Passwords in Everything! Check out RSA's One-Time Password Specifications , the concept in itself has the time frame advantage!

Further reading on the topic can be found at :

Technorati tags :