Over on CISSPforum, a zombie topic about passwords has risen from the dead yet again.

This time, someone suggested making it a "condition of employment" that "If you cannot remember a username and password, find employment elsewhere."

Well yeah but no but.  A username and A password, even a reasonably strong one, would be just fine for most people.  Unfortunately, we need loads. 

As information security pros, isn't it part of our rôles and responsibilities to make information security as low-impact as possible on the organization (including its 'most valuable assets', the people) without unduly compromising the level of security? 

Forcing people to choose lots of complex/strong passwords, change them often and remember them is, like it or not, quite a challenge for the average human, me included.  I long since gave up trying to think up and remember strong passwords for all the websites I visit.  For a while I wrote down the passwords and secured the piece of paper as best I could.  Pass phrases worked better but then I just confused myself by inventing obscure rules for punctuation and 133tne55 and, with senilility approaching, I have trouble remembering the userID bit too. 

Now I use a password vault which allows me to create, securely store and instantly recall totally ridiculous passwords, up to the maximum length permitted by the authentication system (1000+ character password? No problem sir, here you go.  Fancy another?  Poof!  Your click is my command) and as complex as a highly complex thing on Complexity Day.  All I need do is remember one strong password/passphrase to unlock the vault and through constant practice I'm getting pretty good at doing that, thanks to setting the password lifetime setting to "blue moon".  I can store passwords and notes for other non-web-based systems too.

Yes, I'm putting my eggs in one basket and yes I absolutely do appreciate the risk of so doing.  I agonised over this.  On balance, my risk assessment convinced me that, compared to the bits of paper and occasional lock-outs (plus those dumb password reset questions or 'Thank you.  We have just emailed your password in clear to an email account you placed on record with us five years ago.  Have a nice day'), the vault's implementation of AES, coupled with my ability not to disclose the vault key, wins easily.  And yes I take care over that non-disclosure bit, for example never typing it into public-access PCs, and using a strong password/phrase.  And being a paranoid security geek, I'm seriously thinking about buying a USB stick with a fingerprint reader to armour-plate the egg basket.

In this case, at least, technology CAN make the world a more secure place.

Regards,
Gary Hinson CISSP
NoticeBored information security awareness

Please don't reply to this blog entry here - join in the discussion on CISSPforum. 




More...