The Weakest Link Is You
|
Adobe Blogs has a pretty good primer on choosing passwords and securing Acrobat documents. The advice is broadly applicable to other products or network services. |
Rick Borstein explains what should be obvious good password policy, but with a twist: He addresses how to protect communications sent to someone with a close associate who might be able to figure out a password.
Borstein used as an example a lawyer handling a divorce between a husband and wife living in the same household. The lawyer needed to send documents to one spouse without the other reading them. The situation presented a twofold problem: choosing a password the one spouse could remember, but the other one wouldn't figure out.
It's surprising the ease with which passwords can be got. Back in October, my 12-year-old daughter asked why she could so easily access my iTunes account and change the password if she wanted. While she was trying to play a song purchased from my account on her computer, iTunes prompted to authorize playback. The software presented a dialog box with my e-mail address as the user name and a space for password.
Alongside the blank space for the password was a button asking, "Forgot password?" By clicking on this button, my daughter ended up at a page asking for my birthday, which she knew, and the answer to a secret question. I had simply put in a single word, "Maine," instead of drafting a question. After several guesses, my daughter chose "moose," which got her into the account.
Borstein's example is a good one, because a family member would have plenty of knowledge with which to crack the password. At the same time, the password shouldn't be too difficult for the other spouse to remember.
His advice about choosing a password--never obvious stuff like names or birthdays, and never sending it by e-mail--is good, too. Passwords remain a weak link, particularly if a password is the only security mechanism.
Following Microsoft's first Windows Vista launch in November, I met with three HP executives to discuss their company's plans for the new operating system. During the conversation we discussed Windows Vista security and the broad mechanisms companies should use to secure their networks. Each person's laptop had a USB dongle attached, which acted as a secure lock. No dongle, no access. They couldn't connect to their corporate network without the USB dongle, and neither could thieves.
This week, eWEEK.com editors put together a list of five best practices for enterprise security: assessment, prevention, detection, response and vigilance. A podcast, available today, offers deeper insight into these best practices.
Security is going to be a big topic for Windows Vista and a focus for many IT organizations evaluating the operating system. But any operating system, like any network, is only as good as its weakest point: the user.
What happens when someone uses the same passwords for home and work and the personal computer is breached by a Trojan or keylogger? The person might not use the home computer to access the work network, but the single pilfered password would be useful enough. There's enough public information on the Internet to identify where someone works, assuming the hacker couldn't pluck the information from the computer or the victim's banking or investment accounts. Common conventions for e-mail or user names would make the password usable once the employer was known. Enterprises are increasingly a target of information thieves.
No matter how improved Windows Vista security is, weak IT organization security policy--or none at all--will lay the operating system open to assault. In a Monday blog, eWEEK Security Center Editor Larry Seltzer aptly discussed what to expect from Windows Vista security.
Larry wrote, "A big part of hardening a product against attack is to be prepared for when a failure occurs. This is why you keep hearing from Microsoft about 'Defense in Depth.' The idea is that a failure in one form of protection can be mitigated by other protections."
With Windows Vista, Microsoft presumes that several mechanisms are necessary to protect the operating system; the approach also seeks to protect users from their own shortcomings, like creating weak passwords. The multilevel security approach is pervasive in Vista and also Internet Explorer 7.
The safest car on the road is only as good as the driver. No airbag, seatbelt or hardened auto frame can protect the careless driver who smacks into an overpass at 130 km/hour. Likewise, Vista's Defense in Depth is only as good as the weakest link, and the weakest link is you.
Comments (8)
I have concocted a system that has unique passwords for each site but they are static passwords. I would like a good 'system' to remember passwords on sites that require you to change them regularly.
Posted by John | January 12, 2007 10:41 AM
Many sites do not allow me to enter "strong" passwords (because of length/character restrictions) that would enable me to have memorisable site-specific passwords along the line that John might use.
I also get irritated by online merchants that won't let me order from them unless I set up an account with password. (Some won't even allow browsing which is a complete deterrent). I'd rather buy casually without my credit card details being kept, and without having to come up with yet another password.
With VISTA, my observation from months of beta-testing is that some of the security restrictions are so onerous/annoying that mere mortals may elect to turn them off completely rather than deal with them. Even as a seasoned Windows veteran, I find that its habit of preventing me from saving to existing folders on data partitions is so crippling and hard to address properly that I'm postponing an "upgrade" indefinitely.
PS eWeek if you don't enter an email address at posting time here, then when your site returns you to this page, all the comment text is deleted!
Posted by Mike | January 15, 2007 2:02 PM
Just get RoboForm for PC's or 1 Passwd for Macs.
Both offer great security for your information, and create unique passwords for each site, and save them. Everything is encrypted and data held on your computer only, not online.
In the meantime, the easiest way I have heard of to create strong passwords, that you can remember is to use the first letter of each word in a phrase you like, then add a set of numbers. For example:
Phrase: Every Dog Has His Day= edhhd, then add a number that you can remember: edhhd90210.
Works well and is easy to remember, but it is still better to get Roboform or 1 Passwd. Roboform may be the best program for PC's ever made.
Jim
Posted by Jim | January 15, 2007 7:19 PM
Jim,
Your method of remembering passwords by using the first letters of a selected phrase is great however, "edhhd90210" is an easiily cracked alpha-numeric password. To increase the security of your selected password, you should include special characters. A more secure password would be "edhhd902!0".
Of course... we all know that any password can eventually be cracked. It just depends on how determined the hacker is on getting your valued information.
Posted by Robert | January 16, 2007 1:42 AM
I love the sites that don't allow you to implement a strong password, even if you want to! For example, here's one I ran into just yesterday. This is on the American Express website -- a site that you'd think would be concerned about good security. The Change Password tool on their site told me that any new password I choose must be between 6 and 8 characters long, and may not contain spaces or special characters. Robert, I completely agree with your idea of including special characters in a password to make it stronger -- but good intentions don't mean a thing when American Express (or any other site) put too many stupid restrictions on the type of password you choose.
Posted by Michael | January 16, 2007 2:28 PM
I do a lot of shopping on the internet. I feel pretty safe using Roboform. It also generates strong passwords. For the actual purchase, I use Discover Cards "Desktop" download that creates a unique card number that is good for only one purchase.
Posted by Steve | February 14, 2007 8:33 AM
I do a lot of shopping on the internet. I feel pretty safe using Roboform. It also generates strong passwords. For the actual purchase, I use Discover Cards "Desktop" download that creates a unique card number that is good for only one purchase.
Posted by Steve | February 14, 2007 8:35 AM
Why not just replace passwords with a biometric fingerprint reader? That way you get increased security and you never have to remember a password.
Posted by Jim Kerr | October 8, 2007 2:25 PM