WatchGuard Wire
Improve Your Security IQ
What to do when 1 in 3 users jot down passwords
USA Today reports on
a study that found 1 in 3 employees writes down their computer passwords, undermining
network security. This triggered several responses in my mind.
First, the study itself seems untrustworthy: only 325 employees were surveyed,
and information on exactly how Nucleus Research and KnowledgeStorm conducted
the study is not offered. No big, though. Despite the small sample size and
unknown methodology, I think most of us believe that some users on
our networks write their passwords down. Perhaps not a full third of our user
population, but probably enough users to worry about.
But I disagree with the interpretation of the study's results. The write-up
claims that the study demonstrates "companies should
look to more advanced methods, including biometrics, to ensure their systems
are safe." I call "BS!" My sensors
detect a biometric company's press release being reproduced verbatim by
the media.
I've got nothing against biometrics (although they can cause problems of their
own), but not every business has the budget and the staff to implement and
support additional complex technology. Besides, the cure for weak
passwords is much simpler:
- Make it your company's explicit policy that no one is allowed to write
their network passwords down
- Change your password policy so that users can make up any password they
want, as long as it's at least 15 characters long.
Researcher Mark Burnett did the math. He explains in his book Perfect
Passwords that from a
code-breaking standpoint, forcing users to create passwords with numbers,
special characters, capitalization, and so on, does not make a password
stronger than using all lower-case letters and adding two characters
to the length. A password
traditionally considered strong, such as "@#$%yl3ooP, is actually
no stronger than a password such as "You
had me @ hello" or "The
force is strong with this one." The number of possible
character combinations grows exponentially when you add a couple of digits
to the password's length. And obviously, plain English passphrases are
much easier to remember.
So, before anyone runs out to spend big money on putting the Sweat Analyzer
3000 at each doorway or the RetinalScanitron XL at each workstation, why not
try the cash-free method of improving user password habits? Employees will
be less likely to write down passwords if they know a) they could get fired
for doing so, and b) they can make an easily-remembered password from any movie,
song, scripture, or poem they like. -- D.
Scott Pinzon ,
CISSP
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
