Thursday, October 11, 2007

Crap security advice

If you use a corporate provided computer system, you probably have a number of passwords to "remember". You probably have these written on a postit attached to the monitor or stored in a convenient file on the desktop called Passwords.doc.

Here's some advice a dude with dodgy hair at Computerworld that explains why:
Use strong passwords: No user password should be shorter than eight characters. It's even better if they are nine or 10 characters long. Elevated accounts should have even lengthier passwords. Passwords should not be shared between internal and external sites, and they should be changed every 90 or so days.

Users won't remember those passwords. Particularly if they access an "elevated" system like payroll that only needs to be accessed every quarter. They'll be on postits or in files.

Look, if the data/system is too important for a six character password it should be protected by two factor authentication, like one of those security dongles you see. Otherwise you might just as well hand your users a printed card with the password on and tell them to keep it safe.

And while I'm at it, something that wasn't recommended in the article, but which is very popular, is to have a convoluted system of forms and approvals to get a login. Which pretty much guarantees that once Doris in accounts has finally obtained a password for the payroll system, it'll be written on the whiteboard for the whole office to use.



Steve said...

I'm not so sure I buy that; writing down long passwords can be safer than memorizing short ones, particularly if they're re-used. There are sites out there like PassPack that store passwords for free, and there are lots of password management programs to help with the task.

Bruce Schneier's take on this:

I'm a big believer in two-factor authentication (my company makes PhoneFactor -, but if you're not going to do two-factor, you should at least use long, difficult passwords.

Rich said...

- passwords on paper are more secure if someone circumvents the mechanisms to stop them getting the encrypted password and then runs a brute force attack

- short remembered passwords are more secure if someone starts systematically thieving wallets