Friday, June 11, 2010

Passwords: To Secure or Not to Secure

Passwords have been in use since ancient times but it seems like the periodic controversy over whether or not to use them really gained momentum with computing. The latest view turned up in the SmartPlanet blog. There you’ll find Joe McKendrik waxing poetic about a Microsoft study that basically says the cost of passwords outweighs the risks. Wrong!

There is a perception that coming up with unique, strong passwords is a burden. And adding to this perceived difficulty are things like creating a new password, on a regular basis, that can never be the same as a previously used one, is in insurmountable task.

Reading that above blog posting made me feel as if i had taken a time machine to work that morning. Really? Passwords are always hard to remember? Really? So, let's see, users (the de facto weakest link in any security chain) should just be allowed to do whatever they like because, as soon as the enormous burden of password creation and retention is removed from their hectic schedules, productivity skyrockets. Really? Facebook, YouTube, and MySpace anyone? Oh, and finally, a "top security researcher from Microsoft?" Don't get me started.

Flux-capacitor and time circuits set back to 2010, cybercrime is about to surpass illegal drug trafficking as a moneymaker for criminals. Yes, you read that correctly. Cybercriminals can make more money than drug dealers. Hello? Things are getting worse, not better. While end user failure enables a large part of the rise in cybercrime, corporate ineptitude still plays a key role. Training and basic understanding of network and cybersecurity (strong passwords included) is pitifully low. On regular security engagements, my team and I are routinely stunned at what we find. Whether it is a small, medium, or even a large global firm, undoubtedly we achieve a mind blowing, head shaking dose of "I can not believe what I'm seeing." Dated or non-existent security policies, unmonitored and out-of-date security technologies (firewalls, VPN, IDS, etc.), understaffed and undertrained IT departments tasked with a security role, and a common company-wide malaise regarding proper network security. Routinely, we're able to obtain identity information, bank account access, transaction histories, internal pricing lists, etc. Billions spent on network security, and we're going backwards.

I agree that users get bombarded with different, often unclear and untrue, messages about security and how to handle certain situations (phishing emails and web sites, spoofed SSL certificates, even social engineering). A big reason for this is the wrong people get tasked with designing and disseminating a company's security policy. Security personnel should be doing this, not IT personnel. Perhaps a topic for another article, but Security is not an IT issue, it is a management issue.

Growing cybercrime profitability shows us that current and past security practices are severely flawed. But, stopping the use of one of them (passwords) isn't a solution. They should be enhanced. Yes, use a credentialed mechanism for secure access to data, sites, services, etc. But perhaps instead of forcing the average user to produce and remember cryptic passwords constantly, teach them to use patterns on a standard QWERTY keyboard. Examine this password: 0ok9ij)OK(IJ - It has all the password characteristics of a security manager's dream. But how on earth is someone going to remember that? Look at your keyboard and notice that those characters are in a pattern. Start with the zero and then move down and to the left; you get the "o" and the "k". Then move from the zero to the 9 and go down again for the "i" and "j". Then do the same two downward patterns while holding the Shift key. Dream password? Solved. Want another password? Pick a new starting point and a new directional pattern. What to make it unique to a particular site? Add a letter before or after that password ("E" for email, "I" company intranet, "A" for, etc.). You now have a strong password with nothing to remember but a keyboard pattern.

Strong passwords aside, however, two-factor authentication is another technology that can help with the ongoing battle of user password management. Two-factor authentication is something you have, and something you know. You can "have" a random password generator token on your key chain, and you can "know" a sufficiently strong password that goes with it. These and other technologies are available today in an attempt to curb cybercrime's expanse.

If it’s your business you’re securing, you can ignore the reports that say passwords are not cost effective. Instead, invest in employee education. Truly relevant, informative, actionable, employee security education. A good investment always yields solid returns. If you want to keep your support costs down while keeping your company secure, teach your employees the importance of good password habits along with an overarching mindset of reality-based security awareness.

While companies have consistently failed at these things, the future is now and big differences can be made. I believe we can only go up from here.

Gary Morse is President and Founder of Razorpoint Security Technologies.