Open Sesame - Password Security

“Open Sesame!” is probably the most famous password in literature. It gave Ali Baba access to vast treasure. In the realm of technology, computer passwords also give access to valuable treasures: precious business and personal data.

Information about your personal life, buying habits, credit quality and life style is valuable to those who can profit from it. For the Corporation, information has even greater worth. It is not the “Bricks and Mortar” but the intangibles such as intellectual property, client lists, market strategies, pricing and compensation that account for over half the value of the modern enterprise.

All of this personal and business data most likely resides on a database somewhere and is available with a password. In fact, passwords are the most common means of entry in any system. They are also acknowledged as the most vulnerable points for security. “Weak” or compromised passwords are the easiest way for hackers to gain entry into a system.

Simple or short passwords can be easily discovered through “brute force” or “dictionary” attacks which concentrate intense computer power to crack a password. A two letter password, for example, has only 676 combinations. A password with eight letters offers more safety with 208,000,000 combinations.

Ideally, a password should consist of 8 or more characters. They should also contain a mixture of upper and lower case letters, symbols and numbers. “A$d3B5i9X” would be an example. Microsoft security has encouraged the concept of the “Pass Phrase” as an alternative. A phrase such as,”TheLastGoodBookUBoughtCost$25!” has all of the needed elements and is also easy to remember.

The human factor or social engineering contributes to password compromises. It is estimated that employees share their password eight times a year. Passwords can also be cajoled from untrained or naïve workers. The standard rule is NEVER share a password.

Remember the cliché of the “Six Degrees of Separation.” You cannot know who will eventually end up with your password and own it.

To cope with these issues, many leading edge firms are adopting a defense in depth strategy utilizing three elements to better safeguard their information

The three layers of authentication consist of:

What you know…

A strong password or pass phrase

What you have…

A Crypto-key, smart card or token

Who you are…

A biometric aspect such as fingerprint, hand, or retinal recognition

Usage of these three defensive measures will increase dramatically in the future as people seek to thwart ever increasing threats to their private and personal information. Many companies will be mandating them as a significant part of their security best-practices to safeguard an extremely valuable asset: their treasured data.

Terrence F. Doheny President of Beyond If Solutions, LLC.

© 2004, Terrence F. Doheny

Terrence F. Doheny