A Business Technology Place

Easier password rules

Somebody give these guys a high-five.
Finally. There is a glimmer of hope for resolution to the insanity that has become password complexity rules. The National Institute of Standards and Technology recently revised guidelines for password complexity. The prescribed password complexity recommendations are detailed in Appendix A – Strength of Memorized Secrets. The NIST findings not only acknowledge the impact to usability of the existing recommendations for complex password rules, but they reveal the impact to improved security is not significant. This will make you smile and is sure to get a round of applause from everyone. Here’s an excerpt:

“Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe.”

The new advice is to consider the length of the password more important than the complexity. Shorter passwords are easier to break for computer programs. Longer passwords are more difficult to break after they have been encrypted and stored. The NIST acknowledges the over complex password rules we’ve been subjected to only enforce bad behavior when we strive to make the password easier to remember. In other words changing your password from “Password1!” to “Password2!” doesn’t really help the password to be more secure.

Randomly generated passwords are OK as long as they don’t create a usability hassle. Some users, like me, use a password vault tool that can randomly generate passwords to use with specific sites. Again, longer password length is better even when using random characters.

I looked at my accounts.
I used this guidance and examined three financial services sites where I have accounts. Here is a look at the current password complexity requirements from each site:

Site 1
At least 8 characters in length
Has at least one letter
Has at least one number

Site 2
Must contain 8 to 20 characters including one letter and one number.
May include the following characters: % & _ ? # = –
May not contain spaces

Site 3
Minimum of six characters
Must use a mix of letters, numbers, or symbols

The good news is I can use my random password generator to create passwords longer than say 8 characters. It’s no more work for me because I go to my password vault tool to retrieve passwords anyways. But even if you don’t use a password vault tool, you can make your password much more secure by creating a phrase that complies with the existing rules. For example: ILove2seemygrandmother would fit the requirements. It is easier to remember and more secure. Hopefully, the new guidelines will find a place with technology compliance and regulation and we’ll be able to more freely submit password phrases in the future.

Onward and upward!

Got Password? Can Microsoft simplify?

Who makes the rules?

Hackers love them. Security auditors like to engineer them. The average person hates them. IT support teams use them for jokes. Our computer passwords have an identity crisis! Do passwords protect us or are they just a nuisance to our everyday lives?  I find weekly articles about how hackers can crack most passwords in minutes. For some thieves, cracking a password isn’t enough fun, so just steal them. It seems the value passwords bring for protecting information is diminishing.

Industry experts created password complexity rules we should all follow to make the passwords more secure. That makes it a little harder for hackers to crack a password but does not make them theft-proof. Unfortunately, it also drives many people without a password system to write down their password on paper. Who can remember words with all those special characters and capitalizations? In essence, to get the user more secure the rules made their system less secure.

Businesses implement password complexity rules to meet a couple of constraints: a security control they are given and limitations from the software system they are using (i.e. field length, characters allowed). The result for all us is an inconsistent set of rules to govern passwords for all the systems we use. Is it 8 characters or 10? Does it require special characters? Can I reuse a password I used two years ago?

What you know and have.

Several years ago, a popular method for authentication security was created to offset the weaknesses of a single password system. Two-factor authentication is based on the idea of something you know and something you have. So for example, I know a password and I have a phone where you send me a second code. Or I know a password and I have a physical security card I can tap or read.

Now, Microsoft is experimenting with removing the password requirement completely. Their new system would make life easier for their customers because it doesn’t require a pesky password for data access. Well kind. It requires a pin from the phone to get access. I see this as a hybrid two-factor authentication. Something I know, my phone PIN. Something I have, my mobile device.  If I lose or misplace my phone they say there is an option to revert to a standard password. Would you use this?

Human behavior.

Protecting data with authentication systems is a good study in human behavior. We protect the data because we don’t want others to see it. We protect access because some people steal data. We develop authentication systems that try to find a balance between human usability and password complexity. I can see this as a college class. Psyc 231 – Human behaviors for data access and protection.

Got password?

Photo Credit: Thomas Au via Creative Commons. https://flic.kr/p/dT3HaA

 

Secure your identity with password storage software from PassPack

I finally forced myself to sit down and come up with a better management plan for password management this past week. As online identity theft grows, it’s becoming more common place for media and bloggers to write about security best practices, password protection, and other topics related to online identity. Unfortunately,  password management is one of those topics that people choose to ignore because they want something simple and don’t want to be burdened with password rules and expiration dates. I counted myself in that group up until now.

I reviewed a few alternatives for password management programs. Some of the programs have local clients to install with the password storage local. Some use a recording and playback method. Some leverage a two-factor authentication system with a physical device that supplies a key.  What is common among all of them is that they require a user to change their habits in someway. I think this is a valid trade-off for added security and a little peace of mind.

For my review, I decided I needed to find a solution that addressed the following criteria:

1. Portability

Have an online version so that I could access my password storage from multiple locations. Since I use different computers throughout the week or may need to get to a site from an unexpected location, I need something portable.

2. Multi-Factor Security Options

Ok, so this is obvious right? After all I am giving someone my accounts and passwords. Since I wanted an online solution, I need to be comfortable with the security of the system. A fairly new approach to security that goes above encrypting the contents of the message on the wire is the host-proof-hosting system. I’m not a security expert, but I get the fact that this systems encrypts the data on their server, that I have a secret key that is not stored on their server, and that at no time is the key moved to their server. I see there are several players on the market that are using this system including industry giant Verisign.

3. Browser Compatibility

I spend 95% of my Internet browsing time using Chrome or Firefox, so the password management system must run on those two browsers. I already have too many applications that only run with IE. I’m going to add another one.

At the end of my journey I selected PassPack as my management tool. The tool meets all three of my decision criteria and offers additional optional security features that I won’t list in this post. There is a local desktop version available as well. The PassPack business model is currently set to give away usage rights for individuals (up-to 100 passwords), while charging for group and administered accounts. It definitely requires a change in my behavior, but I know its for the better. At the end of the day, I’ll learn to enjoy the central management aspect of the password storage system and welcome the value-add it provides to me.