The best passwords are the simplest, saving time and money to spend
more effectively on other risk-control measures, says security
expert Dr Peter Tippett.
What constitutes a strong password? Most people would answer one
that is made up of seven or eight alphanumeric characters and
changed every 60 days.
Well, I have to disagree. It's been drummed into us that weak
end-user passwords will allow malicious hackers to gain access into
the corporate network. But in the real world, a strong password is
no more secure than a simple one.
You only have to look at a typical organisation with 1,000 users to
realise that strong passwords are just too difficult to enforce.
It's highly likely that only half of the users are going to come up
with a password that suits your policy and, even if you work to
achieve 80% compliance, it's still not enough.
With password security, anything less than 100% will always be
considered weak because a password cracker can still guess the
remaining 20% with ease.
Even if you had 100% compliance on strong passwords, you'd still be
vulnerable. Why? Because once the password cracker has finished the
dictionary attack, they will start an attack of brute force. While
some user IDs and passwords might take days or weeks to crack,
around 15% can be broken in a matter of hours.
There is also another problem with stronger passwords - support.
Forgotten passwords account for the second-biggest number of calls
to the helpdesk. So not only do you have a stronger password that
can still be cracked, it's costing you thousands in training,
helpdesk calls and lost productivity in resetting forgotten
passwords for your staff.
You could implement a secondary factor, such as biometrics or
security tokens, but these measures are still too expensive for
many organisations.
So why not implement a simpler system? Set passwords to be four or
five characters, no names or initials, nothing that a person - not
a password cracker, would guess easily and change it only once a
year.
Just keep the really strong passwords for the small percentage of
system administrators who hold considerable power over systems and
devices.
In reality, there is no measurable security degradation that occurs
when you use simple passwords for most users, because, as I've
demonstrated, enforcing strong passwords throughout an entire
organisation has its flaws. As with many aspects of information
security, strong passwords alone don't always afford you the
protection they claim.
And with the money you've saved? Spend it on measures to understand
your company's risk level and then determine the appropriate level
of security for your business.
What's your view?
Are "strong" passwords
worth the aggravation?
Tell us in an e-mail >>CW360.com
reserves the right to edit and publish answers on the Web site.
Please state if your answer is not for
publication.Dr Peter Tippettis chief technologist with
security specialist
TruSecure
Corporation
Read Dr Peter Tippett on
synergy and security>>