Enterprise IT Watch Blog » Newsweek http://itknowledgeexchange.techtarget.com/IT-watch-blog What's new and what matters in IT news, opinion and analysis. Wed, 22 May 2013 13:27:45 +0000 en-US hourly 1 Everyone hates your insecure password rules http://itknowledgeexchange.techtarget.com/IT-watch-blog/everyone-hates-your-insecure-password-rules/ http://itknowledgeexchange.techtarget.com/IT-watch-blog/everyone-hates-your-insecure-password-rules/#comments Wed, 21 Oct 2009 04:20:52 +0000 Michael Morisy http://itknowledgeexchange.techtarget.com/IT-watch-blog/?p=177 Nick Summer spent an entertaining afternoon with William Cheswick, author of Firewalls and Internet Security: Repelling the Wily Hacker and a godfather, at least, of modern password policy. It’s a follow up to an earlier piece about how broken password systems are, while offering a peak at what Carnegie Mellon University’s cyber-security-research department and others are doing to fix it.

Cheswick himself offered up some alternatives:

  • Passmaps. Users pick a geographic location special to them─like a small lake in the Adirondacks. Zooming way in on Google Maps, the user copies the latitude and longitude. This creates a long password, difficult to guess, that the user doesn’t have to memorize. Mine might be 40.730487,-73.984431.
  • Passgraphs. This one’s not exactly user friendly for anyone who hated math class. It requires you to zoom in on a particular point in a Mandelbrot set and use those coordinates as your password─basically, the same idea as passmaps above, but it doesn’t require any interaction with a map service owned by Google or Microsoft.
  • Passwords transmitted in plain sight. Baseball players, Cheswick notes, use passwords all the time: they take elaborate signs from base coaches in full view of their opponents, fans, and TV viewers. They look complicated, but hey, if dimwitted jocks can use them, there must be an underlying simplicity that anyone can master, and that would obviate the danger of bad stuff like malware and keyloggers.

Even in a best case scenario these solutions are all impractical today, and quite possibly for the foreseeable future but Cheswick says it’s still a problem worth thinking hard about, and I’m sure your users would agree. As the recent Hotmail phishing attacks reminded us, for far to many users “123456″ is still the last line of defense.[kml_flashembed movie="http://www.youtube.com/v/K95SXe3pZoY" width="425" height="350" wmode="transparent" /]

Fortunately, for those that still must deal with passwords, both as administrators and users, the ITKnowledgeExchange forums have plenty of advice:

So, how would you do away with passwords if you could? And what are you doing in the meantime (read: the real world) to make them an effective security measure and not a PITA? Let me know in the comments or e-mail me at Michael@ITKnowledgeExchange.com.
]]> http://itknowledgeexchange.techtarget.com/IT-watch-blog/everyone-hates-your-insecure-password-rules/feed/ 0