Password management's secret ingredient
How to resolve the security/convenience clash
- By William Jackson
- May 20, 2010
Passwords long have been the default standard for authentication for IT access, but they can be notoriously difficult to manage, both for the enterprise and the end user.
Long, complex passwords are usually more secure than short, simple ones, but they also are more difficult for the user to remember, leading to the increased possibility that users will write them down somewhere, making them visible to prying eyes. And organizations that require periodic password resets can increase the strain on help-desk resources as users struggle to recall their new codes.
Generating secure passwords is easy, and the universe of secure passwords is exponentially greater than that of weak passwords. The National Institute of Standards and Technology points out in guidelines it is preparing that the number of possibilities for a given password increases with the length of the password and the possible number of choices for each character. The possible choices for each character of a numerical password are 10 (0 through 9). Possible choices for passwords using letters are 26 for each character. By combing letters, numerals, special characters and upper and lower case, there can be up to 95 possibilities for each character. A four-digit numerical PIN has keyspace of 10,000; that is, there are 10,000 possible combinations. An eight-character password using 95 possibilities for each character has a keyspace of 7 quadrillion.
The top 10 awfully bad passwords people use
Are strong password rules just bad magic?
But the ability to remember even several dozen of these 7 quadrillion passwords is beyond that of mortal man, so we fall back on tricks and technology. Password management tools can simplify the job, but they must be properly secured and can create a single point of failure if compromised. John DiMaria, director of professional services for eFortresses, a security and compliance consulting firm in Atlanta, uses an encrypted spreadsheet on a protected thumb drive to store lists of passwords. This reduces the number of passwords that positively, absolutely must be remembered to two -- but he's at risk of losing the drive and, with it, all of his passwords.
“There are technical solutions for this,” said Ron Ritchey, a principal in the technical service practice a Booz Allen Hamilton. “There is also strategy that can be applied.”
Ultimately, no approach is a proverbial silver bullet, he added. The key to passwords is risk management.
Ritchey said he personally does not create a unique password for every account. “That is simply unmanageable. I create categories.”
This can reduce the number of personal passwords from dozens to a manageable handful, each of the appropriate strength. DiMaria said he teaches the use of some personal key that can be easily remembered for generating passwords. A simple rule for transposing characters on a keyboard can create complex passwords that are relatively easy for the user to remember.
There also are so-called single-sign-on tools for enterprises and password management tools for PCs and mobile devices.
But, “none of these is entirely satisfactory,” Ritchey said. Eventually they all run up against the limits of scalability or human memory. “It comes down to risk management.”
Some people resort to a simple card in their wallet, but this could be stolen. You have to ask yourself, Ritchey said, what are the odds of my wallet being stolen, and what are the odds of it being stolen by a thief savvy enough to care about the passwords? “These things are part of the personal risk calculations you put into what you are trying to protect.”
Ritchey said that wholesale cyber attacks are so much more efficient that single thefts that the threat of losing a password through a malware infection is much greater than the theft of cracking of a single password.
Eventually, Ritchey sees our salvation in the replacement of passwords by a single, strong, reusable credential, probably based on a hardware token of some sort. That would allow users to access many resources with the same digital identity. The drawbacks are that a secure credential could be expensive, they create a single point of failure if compromised, and the repeated use of a single online identity could present a threat to privacy.