A password only works when nobody else knows it
The good news about passwords is that they are integrated into just about every type of software, and users understand and accept them.
But passwords are only effective when they are kept secret. And there are a variety of chinks'both human and technical'in that secrecy making passwords by themselves inappropriate for protecting resources at higher assurance levels.
Here are the primary threats to secrecy, as enumerated by the National Institute of Standards and Technology:
Guessing or finding. Passwords that are easy to re-member are easy to guess; and passwords that are difficult to remember run a higher risk of being written down, where they can be found. Default passwords for many computer products already are known and are vulnerable if not changed by administrators. An observer can steal a password or personal identification number by 'shoulder surfing''watching as the characters are entered.
Giving away. Users often share passwords to allow co-workers and others to access resources. The security of a secret is weakened proportionately to the number of people who share it. Users also can be tricked into revealing passwords through social engineering and phishing schemes.
Electronic monitoring. A password must be transmitted from the user to the authenticating system, and this can be monitored on the network and on the computer. Encrypting a password that will be reused may not work, because the same password will produce the same ciphertext, which an eavesdropper might be able to use.
Accessing a password file. If the password file itself is not protected by strong access controls, it could be subject to exposure.
Proliferation of passwords. The common use of separate passwords to control access to multiple applications and systems can become counterproductive as users resort to poor security practices such as using easily guessed passwords, reusing passwords for different systems or writing them down.
For more information on the pros and cons of password security, see NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook. Go to www.gcn.com
and enter 467 in the GCN.com/box.