I recently read with admiration a tech article written by a
security expert being open and honest about computer, network and online
account security access passwords. Even though she understands the importance
of strong security, she wrote of the woes of trying to remember different
passwords to her many accounts. Finally exasperated, she gave up change and now
maintains a policy of a single password for all accounts.
This works for her and can work you as well, unless you access
defense contractor, Department of Defense networks or DoD or other government
maintained websites and systems such as Defense Security Services’ JPAS,
training, SPeD certification, databases, or the applications offered by many
other agencies. Where most could get away with using a single password on
multiple systems, each of these DoD systems require unique password
structures. One single password will not
work.
For example, in most of my online business profiles for
email, social media, banking and etc, I can use a common password consisting of
letters and maybe a number for good measure. In many cases, the sites help you
determine the strength of your password so that you can adjust to however you
feel comfortable. You might get a red, amber or green indication with green representing
the most protection, but in most cases any password is acceptable if you are
comfortable with the results.
In these cases, you can use words or numbers that you are
familiar with such as: carman311, cookiemom214, or securitydave2. You may never
forget your password as they are not too difficult. However, such familiarity
and comfort also create greater vulnerabilities with the level ease required
for breaking your code.
Now bring on websites like the ones mentioned above. The
company I work for requires uppercase, lowercase, numbers and symbols. DoD
sites require the same, as do some classified and unclassified networks. So,
simple, adopt a more complicated version of an already used password such as
Jollyrancher now might be jollyrancher55672%%^&@ if you add in your address
and associated symbols. Then use them for all the multiple applications and you
are home free, right?
Not so fast. Where upper and lowercase, numbers and symbols
are required; each application may require different combinations. For example
one website requires that the passwords DO NOT have repeating characters.
Yikes, this eliminates many words such as: jollyrancher, mollymoocow, muddywaters,
suggestive, message, eliminate, tellingword, and many more words. Now we now
have to have at least two passwords to access all of our accounts. Ok, I can do
that.
Not really. So, maybe you have the words with non repeating
letters, but now you have to make sure your number combinations and
symbols don’t repeat as well. So, there
goes Jollyrancher55672%%^&@. Now you have to vary your password with simple
nuances that might be hard to remember. So, maybe I spell it
JOlyrancher54672%$^&@ and hope you remember those simple nuances. This
might at least require at least three passwords (don’t forget the ones you
already have for banking and social networks; add those to the count as well).
I can go on about some password requirements that do not
allow the use of certain special characters, but I think you get the point now.
The password protection requirements are designed specifically for you not to
use familiar terms and NOT to use the same password for multiple applications.
We can all agree that that makes for great security, but is it even practical
or fair? Heck, try accessing a secure website using those complicated policies
from a smartphone where the special characters are no longer above the
corresponding numbers…sheesh!
So, the passwords are more secure now as probability of
guessing the passwords has just plummeted. But now there is a new risk
introduced. I CAN’T REMEMBER MY PASSWORD SO NOW I HAVE TO WRITE IT DOWN.
Ok, I know security and IT folks hate to admit this, but it
actually happens. In spite of the hours, days and years of security training,
people are still writing down passwords.
Sure, you get the up and down nod from
employees understanding the importance of protecting passwords, but that’s just
acknowledgement. The reality is, many of us can’t remember multiple complicated
assemblies of letters, numbers and symbols. The industry has given us no
choice.
There is hope. In the past few years the Common Access Card
and similar “who am I” technology has made passwords almost obsolete. All you
need is to register the credentials and you can gain access. There are still
some restrictions such as those websites, internal networks, and other places
or situations where such credentials aren’t accepted or implemented. Until
then, we just have to make do.
Can we eliminate the password requirement? There are other
alternatives such as password generator, answering security questions, or even
a card with pre-loaded credentials that can be used in combination with a pin
number to provide similar great security. These only require a single pin code
to access a world of information. No need to remember complicated and multiple formulas.
The lesson here is, if it’s in your control, don’t make
security too hard to work with. Protecting sensitive and personal data is very
important and in most cases contractual requirement. However, the methods are
not always proscribed. This leaves room for alternative ways to protect
information that is both easy for the user and safe for the information being
protected. The relationship between user and information
provides better protection.
For more security tips, keep following this blog or sign up for our newsletter. We also have great security training and books at www.redbikepublishing.com
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".