Passwords are on my mind today. First, I’m putting together some product security requirements so passwords are a consideration. Second, I was reading this article on BBC news regarding a report published by the United Nations stating that we are heading for a “password explosion.” Third, I received an email from RSA that exclaims “Nothing beats the security provided by a complex password.”

What is a sensible password policy for a web product? The correct answer, in my opinion, is a policy that provides sufficient protection of the assets that the password provides access to. Sometimes a password alone is not enough and we might want to consider some form of two-factor authentication (2FA). The problems are many: 2FA is often cumbersome to use and expensive to adminster – requiring customers to learn how to manage their tokens or certificates or whatever other incovenience you plan to post to them, and the business end to staff a full-time helpdesk to assist said customers when their token breaks, or gets lost, or doesn’t arrive in the post. Conversely passwords alone, regardless of strength, can be guessed – and face it, I reckon most consumers do not use strong passwords anyway – or worse stolen using keyloggers, spyware, or the various other nasty things that end up on Aunt Mabel’s home computer. So RSA’s assertion that “nothing beats a complex password” is false – many things beat it including, as those good folk at InfoSec discovered, the offer of a bar of chocolate..

Do I have a solution? No! Well, I do have some thoughts on the subject. First and foremost we need to work on security from the inside out rather than relying on customers to be able to protect access to their accounts. We can build in processes to detect fraudulent account usage and we can maintain sufficient data within logs. We can ensure that accounts protected by weak passwords alone do not provide access to high value information. We can also try to educate customers on security. I read that one of the banks is providing their customers with anti-malware software. That, I think, is a great initiative.

There are some other interesting initiatives. OpenID from Verisign is a new Identity Management and Single Sign-on solution in the same vein as Microsoft’s Passport, but with the assurance of Verisign security behind it. Such solutions rely on many products subscribing to the service and customers having the confidence to use them. It makes sense because I’m sure that I’m not alone in being fed up with filling in name and address forms but then, I’m also not quite ready to entrust a single service provider with all of my personal details either. The nice thing about OpenID is that you can choose exactly how much information you want to share with the service as well as manage as many different identities as you wish that relate back to you.

OpenID is one solution but it’s not really much help for me today as I try to describe a policy that is practical to implement, acceptable for customers to use, and mitigates risk to an acceptable degree. I’m already resigned to the fact that I can’t win this one and regardless what I state the requirement should be, someone will give me fifteen reasons why it wont wash.