Who makes the rules?
Hackers love them. Security auditors like to engineer them. The average person hates them. IT support teams use them for jokes. Our computer passwords have an identity crisis! Do passwords protect us or are they just a nuisance to our everyday lives? I find weekly articles about how hackers can crack most passwords in minutes. For some thieves, cracking a password isn’t enough fun, so just steal them. It seems the value passwords bring for protecting information is diminishing.
Industry experts created password complexity rules we should all follow to make the passwords more secure. That makes it a little harder for hackers to crack a password but does not make them theft-proof. Unfortunately, it also drives many people without a password system to write down their password on paper. Who can remember words with all those special characters and capitalizations? In essence, to get the user more secure the rules made their system less secure.
Businesses implement password complexity rules to meet a couple of constraints: a security control they are given and limitations from the software system they are using (i.e. field length, characters allowed). The result for all us is an inconsistent set of rules to govern passwords for all the systems we use. Is it 8 characters or 10? Does it require special characters? Can I reuse a password I used two years ago?
What you know and have.
Several years ago, a popular method for authentication security was created to offset the weaknesses of a single password system. Two-factor authentication is based on the idea of something you know and something you have. So for example, I know a password and I have a phone where you send me a second code. Or I know a password and I have a physical security card I can tap or read.
Now, Microsoft is experimenting with removing the password requirement completely. Their new system would make life easier for their customers because it doesn’t require a pesky password for data access. Well kind. It requires a pin from the phone to get access. I see this as a hybrid two-factor authentication. Something I know, my phone PIN. Something I have, my mobile device. If I lose or misplace my phone they say there is an option to revert to a standard password. Would you use this?
Protecting data with authentication systems is a good study in human behavior. We protect the data because we don’t want others to see it. We protect access because some people steal data. We develop authentication systems that try to find a balance between human usability and password complexity. I can see this as a college class. Psyc 231 – Human behaviors for data access and protection.
Photo Credit: Thomas Au via Creative Commons. https://flic.kr/p/dT3HaA
I finally forced myself to sit down and come up with a better management plan for password management this past week. As online identity theft grows, it’s becoming more common place for media and bloggers to write about security best practices, password protection, and other topics related to online identity. Unfortunately, password management is one of those topics that people choose to ignore because they want something simple and don’t want to be burdened with password rules and expiration dates. I counted myself in that group up until now.
I reviewed a few alternatives for password management programs. Some of the programs have local clients to install with the password storage local. Some use a recording and playback method. Some leverage a two-factor authentication system with a physical device that supplies a key. What is common among all of them is that they require a user to change their habits in someway. I think this is a valid trade-off for added security and a little peace of mind.
For my review, I decided I needed to find a solution that addressed the following criteria:
Have an online version so that I could access my password storage from multiple locations. Since I use different computers throughout the week or may need to get to a site from an unexpected location, I need something portable.
2. Multi-Factor Security Options
Ok, so this is obvious right? After all I am giving someone my accounts and passwords. Since I wanted an online solution, I need to be comfortable with the security of the system. A fairly new approach to security that goes above encrypting the contents of the message on the wire is the host-proof-hosting system. I’m not a security expert, but I get the fact that this systems encrypts the data on their server, that I have a secret key that is not stored on their server, and that at no time is the key moved to their server. I see there are several players on the market that are using this system including industry giant Verisign.
3. Browser Compatibility
I spend 95% of my Internet browsing time using Chrome or Firefox, so the password management system must run on those two browsers. I already have too many applications that only run with IE. I’m going to add another one.
At the end of my journey I selected PassPack as my management tool. The tool meets all three of my decision criteria and offers additional optional security features that I won’t list in this post. There is a local desktop version available as well. The PassPack business model is currently set to give away usage rights for individuals (up-to 100 passwords), while charging for group and administered accounts. It definitely requires a change in my behavior, but I know its for the better. At the end of the day, I’ll learn to enjoy the central management aspect of the password storage system and welcome the value-add it provides to me.