I’m not a security expert and don’t pretend to be one, but half-cooked advice on fundamental security issues p***es me off big time. Today it’s a lengthy article at the Boston Globe: Please do not change your password.
It’s based on a study by a Microsoft researcher, who concludes that regularly changing passwords is a big waste of time – so far so good and I’ve just saved you reading 3 pages –but what’s the conclusion?
- Use strong, bullet-proof passwords in the first place
- Use updated security software, don’t install unknown stuff to avoid keyloggers
It all makes sense, except that it’s hard to do. Statistics show that over 60% of Internet users have a favorite set of login credentials and they use that single set across many systems. Very-very dangerous, but the reason we do it is that this is what we can remember easily.
The missing piece from the advice is how we deal with the “bullet-proof” and unique set of login credentials we create on dozens of systems we need to log in. Some people will develop a formula to make up such passwords – too bad such patterns are often recognizable. (Update: see Bob’s example for algorithmic passwords.) Others will write them down … ouch!
So we’re left with two options:
- physical devices, be it lists, passcode cards, USB sticks..etc, what if you lose them?
- password management systems like Keypass, Lastpass, Passpack, Syferlock… – what if they get compromised?
What’s your solution?
Related posts:
One thing I don’t do is reveal my solution on blog comments
I wish more sites would consume OpenID (everyone wants to be a provider – no one wants to be a consumer). I’d probably still use more than one provider and for my most important “profiles” I’d still probably log in individually.
But having maybe a dozen accounts would definitely encourage me to change my passwords more frequently than I do now.
Zoli,
In the spirit of disclosure, last month I joined PingIdentity as an industry evangelist. Ping develops Identity security and Internet SSO tools, but before that I was a high-tech reporter for 15 years, some of which was spent covering this space. On the enterprise side, companies that wish to solve these issues for their end-users and network admins should go down to the plumbing level with single sign-on tools, based on standards such as SAML, WS-Federation, or look at emerging user-centric protocols such as OpenID, QAuth and InfoCards that are now mostly pointed at consumers. SAML is pretty well understood and Ping has many customers relying on SAML-based connections, but overall all these tools are emerging as the next-generation wave of log-on techniques. The questions to ask revolve around authorization and levels of assurance especially in the user-centric cases. There are still hurdles to cross but these technologies are certainly pointed toward solving user name and password issues.
Here is a primer on SAML: http://bit.ly/b8NL6o (print) or (video) http://bit.ly/bQY3a7
John,
Thanks for the info. I don’t want to make this an enterprise contra consumer issue, but I think “consumers” (and that may very well include small businesses) that don’t have “IT support” are in the most imminent danger.
[...] on the other hand was a solution for the password conundrum – so good, that Ben was ready to dismiss his usual concerns. The transaction probably makes [...]
[...] on the other hand was a solution for the password conundrum – so good, that Ben was ready to dismiss his usual concerns. The transaction probably makes [...]