Thought for the day:Strong passwords - a false sense of security?

The best passwords are the simplest, saving time and money to spend more effectively on other risk-control measures, says...

The best passwords are the simplest, saving time and money to spend more effectively on other risk-control measures, says security expert Dr Peter Tippett.

What constitutes a strong password? Most people would answer one that is made up of seven or eight alphanumeric characters and changed every 60 days.

Well, I have to disagree. It's been drummed into us that weak end-user passwords will allow malicious hackers to gain access into the corporate network. But in the real world, a strong password is no more secure than a simple one.

You only have to look at a typical organisation with 1,000 users to realise that strong passwords are just too difficult to enforce. It's highly likely that only half of the users are going to come up with a password that suits your policy and, even if you work to achieve 80% compliance, it's still not enough.

With password security, anything less than 100% will always be considered weak because a password cracker can still guess the remaining 20% with ease.

Even if you had 100% compliance on strong passwords, you'd still be vulnerable. Why? Because once the password cracker has finished the dictionary attack, they will start an attack of brute force. While some user IDs and passwords might take days or weeks to crack, around 15% can be broken in a matter of hours.

There is also another problem with stronger passwords - support. Forgotten passwords account for the second-biggest number of calls to the helpdesk. So not only do you have a stronger password that can still be cracked, it's costing you thousands in training, helpdesk calls and lost productivity in resetting forgotten passwords for your staff.

You could implement a secondary factor, such as biometrics or security tokens, but these measures are still too expensive for many organisations.

So why not implement a simpler system? Set passwords to be four or five characters, no names or initials, nothing that a person - not a password cracker, would guess easily and change it only once a year.

Just keep the really strong passwords for the small percentage of system administrators who hold considerable power over systems and devices.

In reality, there is no measurable security degradation that occurs when you use simple passwords for most users, because, as I've demonstrated, enforcing strong passwords throughout an entire organisation has its flaws. As with many aspects of information security, strong passwords alone don't always afford you the protection they claim.

And with the money you've saved? Spend it on measures to understand your company's risk level and then determine the appropriate level of security for your business.

What's your view?
Are "strong" passwords worth the aggravation? Tell us in an e-mail >> reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.

Dr Peter Tippett is chief technologist with security specialist TruSecure Corporation 

Read Dr Peter Tippett on synergy and security>>

Read more on IT architecture