| |
Password Issues
Protection of resources using a username and
password combination is a very common approach. However, the risks
associated with this can be very great. These are described below:
For passwords protecting
network and internet services:
- Any password below 8 characters in length
presents a serious risk of being found out in a matter of hours by cracking.
- Non-random passwords greater than this
length also present a serious risk of being found.
- Strong passwords are currently considered to
be those of 8 or more random alphanumeric characters of mixed case.
- The password length required for a good
level of protection will increase as processing power increases.
- Strong passwords are very difficult to
remember and will get more and more difficult.
- Re-using passwords for different purposes is
dangerous so multiple passwords are needed.
The conclusion that many people
are coming to is:
- In order to get sufficient protection,
passwords must be so complex and so many are needed that they cannot be
remembered by most people.
- If this is the case then they must be
recorded somewhere. For sensitive information this is preferable to
using weak passwords.
- Writing a password down in a disguised form
is preferred to choosing a weak password.
- The use of a software 'password safe' is an
good alternative, providing the password safe software is from a trustworthy
source.
Password Safes
Password Safes or vaults are based around files
containing the usernames & passwords which have been encrypted using strong
encryption techniques.
- They allow the password to be significantly
longer than the minimum safe length and made up of random patterns since they
don't have to be remembered.
- Some of them support the use of a
combination of password and digital key.
- Using a password combined with a digital key
held on a USB memory stick is a good choice, providing the memory stick is
kept separate from the PC when not in use.
- Open Source password safes have the benefit
that they have been peer reviewed.
- Password safes must themselves be
protected by a strong password. The issue has been reduced to
remembering just one.
- The encrypted password file should be backed
up regularly.
- Since the impact of forgetting the strong
password is great, it should be written down in a disguised form and stored in
a safe place.
|