The good old password is still a viable means of security if only we can stop giving it away.
20 Jun 2000 - These days, it seems like you need a password to gain entry into just about everything, and for good reason. Passwords are the oldest, most mature and most flexible security tool around. Yet they're also the most often breached, though not because of inherent conceptual or technological weaknesses. Despite years of experience, few people keep their passwords secure, and few companies enforce policies that require them to do so. Much like the lock on a front door, however, passwords always will be an attacker's first target. As long as they remain insecure, any other defensive measures are essentially useless.
Usually, the easiest way to get someone's password is simply to ask for it. Penetration testing and independent studies repeatedly have shown that most employees will readily give up their passwords to impostors posing as help-desk personnel over the phone. In some cases, 90 percent of those tested fell for the trick. Surprisingly, help desks are often just as gullible, giving access to the same impostors posing as legitimate users who have forgotten their password.
The lesson here is simple: Under no circumstances should users share their passwords with anyone. IT staff, including help-desk staff, should never have access to user passwords. If a user is accidentally locked out, the old password should be reset and a new one selected or issued --and not over the phone.
Selection and maintenance of passwords is not quite as simple. The best passwords are the hardest to guess: long and random. I use 40-plus character phrases as passwords --usually obscure, but memorable, quotations. Moreover, unless users choose different passwords for each separate account, and change those passwords regularly, the potential damage from a single breach can be extreme. Such practices, unfortunately, make it almost impossible for users to remember their log-in information, which creates a strong temptation to write this data down --clearly opening themselves up to hacker-type passersby.
One answer is the password safe. I cannot sing the praises of these apps loud enough. Simple and inexpensive, they store log-in information in a secure, encrypted file, allowing system administrators to enforce very stringent rules for security while minimizing the impact on the end user. The user still must remember a single password to open the safe itself, but because it is never transmitted over a network, it is far more secure than most. A safe of some sort should be a standard part of every desktop install. (Check out Counterpane's freeware safe at www. counterpane.com/passsafe.html.)
Finally, it is important to note that password policy cannot be merely outlined in a training document; it must be enforced. End users see security as a hassle, an obstacle between themselves and their computers. But left to their own devices, they inevitably will expose their passwords to attack.
More on ZDNetAsia