A few weeks ago, I was reading through some discussions posted on LinkedIn. One that caught my eye was, “How long should my password be?”
My first thought was, “Are people still talking about password lengths?”
Passwords are intended to authorize users to access only what they need access to. We’ve had questions about passwords and their effectiveness since we first began using them. Everyone in the security industry has an opinion. Many of the answers that you hear are different.
Most systems require at least 6 or 8 characters and people say this length is enough as long as you’re also incorporating alphanumeric with special characters. You’ll also hear that passwords just have to be 10 or more characters long regardless of the use of special characters and alphanumeric in order to be effective.
I’m going to take a stand and end all discussion by saying passwords are nearly useless.
Anyone with clear intent to get to your data can do so in a short period of time regardless of your password. With the current hardware processing power these days, it is trivial to “crack” passwords in a short amount of time. It becomes even easier with technology such as Rainbow Tables (I’ll leave you to do your own Google searching if you’re not familiar with this). Finally, all of this becomes moot if the attacker has physical access to the machine and/or admin control via a malicious exploit and gets a hold of the password hash on the system. What’s even easier is installing a key logger to capture all the keystrokes on the machine. GAME OVER!
I’m reminded of a study that took place a few years ago that discovered that people were willing to give away their passwords in exchange for a piece of chocolate. It was never verified that the passwords given were accurate but people have freely given me their password (without being asked) in exchange for nothing at all. Ultimately, it comes down to the weakest link, which is always the end user.
Okay, so now that I’ve destroyed any amount of hope you’ve had in your passwords, there’s no need to go cry in the corner. There is a more effective way to protect your assets with proper authentication. I’m a fan of multifactor authentication (a.k.a. “strong” authentication).[note width=”250″ title=”Note” align=”right”] RSA recently announced their new platform, Authentication Manager Express, which provides strong authentication without the use of tokens, making it a more cost effective solution for SMBs.
Vaughn’s blog: “RSA Authentication Manager Express: Bringing Strong Authentication to SMBs (w/o the tokens)” [/note] Like using a ATM, mutilifactor authentication combines something you physically have with something that you know. One without the other is virtually useless.
Probably the most well known form of multifactor authentication is RSA tokens. Your password is replaced with a PIN (something you know) combined with a random number generated on a key fob (something you have). If you lose the key fob, it’s not too much to worry about because anyone who retrieves it will need to know your username and your PIN in order to gain access. This also protects against key loggers because part of your password will be a different random number each time you use it.
As always, when talking about security, layers are necessary. There is no such thing as being totally “secure”. Multifactor authentication is a great piece of the puzzle, but we still need to take other measures against malicious code (e.g. viruses, key loggers, root kits, etc.). All systems need to be hardened to protect against various types of penetration. That’s why we still need firewalls, intrusion prevention systems and the like.[Photo credit to Mike Gdovin via Flickr]