Enterprise IT Watch Blog

Oct 20 2009   11:20PM GMT

Everyone hates your insecure password rules

Michael Morisy Michael Morisy Profile: Michael Morisy

Nick Summer spent an entertaining afternoon with William Cheswick, author of Firewalls and Internet Security: Repelling the Wily Hacker and a godfather, at least, of modern password policy. It’s a follow up to an earlier piece about how broken password systems are, while offering a peak at what Carnegie Mellon University’s cyber-security-research department and others are doing to fix it.

Cheswick himself offered up some alternatives:

  • Passmaps. Users pick a geographic location special to them─like a small lake in the Adirondacks. Zooming way in on Google Maps, the user copies the latitude and longitude. This creates a long password, difficult to guess, that the user doesn’t have to memorize. Mine might be 40.730487,-73.984431.
  • Passgraphs. This one’s not exactly user friendly for anyone who hated math class. It requires you to zoom in on a particular point in a Mandelbrot set and use those coordinates as your password─basically, the same idea as passmaps above, but it doesn’t require any interaction with a map service owned by Google or Microsoft.
  • Passwords transmitted in plain sight. Baseball players, Cheswick notes, use passwords all the time: they take elaborate signs from base coaches in full view of their opponents, fans, and TV viewers. They look complicated, but hey, if dimwitted jocks can use them, there must be an underlying simplicity that anyone can master, and that would obviate the danger of bad stuff like malware and keyloggers.

Even in a best case scenario these solutions are all impractical today, and quite possibly for the foreseeable future but Cheswick says it’s still a problem worth thinking hard about, and I’m sure your users would agree. As the recent Hotmail phishing attacks reminded us, for far to many users “123456” is still the last line of defense.[kml_flashembed movie="http://www.youtube.com/v/K95SXe3pZoY" width="425" height="350" wmode="transparent" /]

Fortunately, for those that still must deal with passwords, both as administrators and users, the ITKnowledgeExchange forums have plenty of advice:

So, how would you do away with passwords if you could? And what are you doing in the meantime (read: the real world) to make them an effective security measure and not a PITA? Let me know in the comments or e-mail me at Michael@ITKnowledgeExchange.com.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: