Who Are You?

When it comes to security, passwords are both a blessing and a curse. Virtually everyone knows that passwords are necessary to protect access to sensitive and private information.

But between work and personal use, you can have a dozen passwords or more. That's a lot of passwords to remember!

Having so many passwords to remember (and forget) often leads to numerous password resets causing frustration and lost productivity. For businesses, this also leads to numerous costly help desk calls.

To avoid forgetting their passwords, some people write them down and post them in conspicuous places for handy reference. Unfortunately, this practice also exposes their passwords to others who may use them for nefarious purposes.

So what can we do about this problem? Let's take a look at some password basics.

Breaking It Down

By definition, a password is a combination of characters used along with a user ID to identify who is accessing the system. Most importantly, while the user ID is typically visible and may be known by others, the password is (or should be) known only to the user. Essentially, the password ensures the user ID is being used by the legitimate user.

A password should be easy for you to remember but difficult for others to guess. Consider these guidelines when defining a password:

• Use more than 5 characters
  
• Use a combination of digits, letters and special characters.
  
• Do not use a proper name (kids, spouse or pets).
  
• Do not use your phone number or social security number.
  
• Do not use a word that could be easily cracked by a brute force dictionary attack program.
  

Most systems have policies that define the minimum length and characters allowed when you define a password. These policies may also define how often you need to change your password and whether or not you can reuse prior passwords.

Multiple Factors

A password is an example of single-factor user authentication. An authentication factor is something that uniquely identifies the user. Authentication factors include:

• Something the user knows (secret)
  
• Something the user has (key)
  
• Something the user is (characteristic)
  
• Something the user does (behavior)
  

One way to simplify password management is to use a software program that stores your passwords in an encrypted file. You could then use one of the above authentication factors such as a fingerprint reader (characteristic) to retrieve your stored passwords and log on to your protected systems.

Combining factors makes it more difficult for unauthorized users to access a protected system. This is the theory behind multiple factor authentication systems used in many sensitive applications to more reliably identify a user than with just a password alone.

Other authentication methods use typing or mouse styles (behaviors). Some password management programs recognize you by the way you type or use a mouse, which I understand is difficult to mimic by others.

Another authentication method uses a token device (key) that you connect to your computer when you want to access a protected service. Typically a USB device, a token generates a unique key that is time-synchronized with the service you are accessing. This type of authentication is typically used by financial institutions.

Your Choice

As you can see, there are several ways to manage your passwords. Some PCs have integrated fingerprint readers. Others have some type of password management software. Web browsers can remember the passwords you use to log in to web sites. Businesses can implement automated password reset programs to reduce help desk calls.

In the end, it's up to you to keep your sensitive systems and data secure. By following a few simple rules and using some common sense along with password management tools and techniques, you can ensure access to your systems are secure.

If you have an questions or would like to share your experiences with password security, please let me know.

By Harry Hiles, HBH Technology LLC — 2 Sep 2007

---