How safe is your Password?

• by Ellie Hurst
• Advent IM Blog

A post from Del Brazil, Advent IM Security Consultant.

Passwords are supposed to be hard to guess but not hard to remember which in itself is a paradox.  How can you actually have something that is hard to guess and yet be easy enough to remember, let alone have several of them each with a different complexity requirement?

Image courtesy of Master isolated images at FreeDigitalPhotos.net

There are various tricks and methods into disguising passwords to aid users in remembering complex passwords but unfortunately as time goes on and remembering Moore’s Law in that every 2 years computer power doubles whilst costs decrease, it is ever increasing likely that the password tricks and disguising methods used today are likely to be easily compromised.  That’s not to say that good password management will be defunct in years to come as passwords only form part of the layered approach to security.

So what now?  As we become even more reliant upon computer systems and services coupled with the number of associated passwords should we adopt a different approach to passwords?  Historically complexity requirements were set as a guide by different organisations dependent upon the information and/or system being used.  This could vary from being 8 characters long using alphanumeric, special characters, valid for 90 days and selected/created by the user or being generated by an automated machine using the Consonant Vowel Consonant (CVC) method.  Either of the methods is still deemed sufficient dependent upon the information and/or system being protected.  The main issue with this is that a user has to try and remember a whole host of different passwords for different systems/services and when you add in the requirement to change passwords on a regular basis inevitably bad practice creeps in.

Users have always been discouraged from writing down their passwords in fear of someone finding it; however managing the safe storage of passwords that have been written down is something that organisations can and should consider.  This may enable users to generate longer more complex and even stronger passwords knowing that they are able to write them down rather than commit them to memory.  This may not be to everyone’s liking but never the less it is an option that should be considered.  As always there are risks to this method as the weak link is the password storage facility which maybe a security container to which only a select number of staff have access to.  There is the potential for the security container to be compromised thus compromising all passwords stored within in or the possibility that the security container lock is broken rendering the organisation inoperative until such time a locksmith is able to gain entry to the security container.

Another potential change would be for users to be assigned a single complex password for use over a multitude of systems and/or services.  There are a number of systems/services utilising this type of system by means of ‘Single Sign On (SSO)’; however there maybe the option for this to be taken one step further by the users.  This would involve the user utilising the same complex password over a multitude of systems thus negating the requirement to remember a whole host of different passwords of different lengths and complexities.  In theory this seems a logical step to take but as with everything there is an element of risk associated with this practice.  The main risk being, should the user’s password be compromised or they forget it then all systems/services accessed by the compromised password will be susceptible to attack.  Any compromise of this password word require each system/service password to be changed unless they are all interlinked as per SSO in which case password replication would be automated across the systems/services.

So what is the answer?  In a nut shell there is no one ‘Secure Password System’ as it all comes down to how passwords are managed and how well the users are educated about safeguarding their passwords.

Is it better to have a single longer more complex password over a multitude of systems or is it better to have individual passwords per each service/system.  This is a debate that I’m sure will go on for years; however the top tip is to ensure that users are not only educated about good password management but also about various methods of attack.  These attacks can manifest themselves as social media profiling or by phishing emails both of which will be discussed in additional publications.