Something You Know

Previous page
Table of content
Next page
 <  Day Day Up  >  

This refers to anything that needs to be remembered to prove your identity. The information remembered could be of the following types:

  • Passwords

  • Pass phrases

  • PINs

  • Secret handshakes

Passwords are the most frequently used forms of authentication. Passwords are used to authenticate you with information that only you know. If you supply a computer with the proper password, it authenticates you as a user . Passwords, however, have the following problems: They can be stolen, written down in easily accessible locations, shared, or guessed. To strengthen passwords, they are normally implemented with a supporting policy. Sharing passwords, writing them down, or not changing them frequently violates most password policies. Automated methods can be used to enforce a password policy. The number of days between password changes and the strength of a password can be enforced through an operating system or an application that supports a strong password policy. A strong password policy would include rules like the following:

  • A password must be a minimum number of characters in length (e.g., 8).

  • A password must include characters of both upper and lower cases.

  • A password must contain numeric and non-numeric characters.

  • A password cannot repeat any character more than a certain number of times.

  • A password can be used only a certain number of days.

  • A password cannot contain a substring of the username, company name , or any other easy-to-guess words.

  • Insert your favorite esoteric password rule here.

As you can see, a good password is not easy to remember and is difficult to devise . Most people have a hard enough time trying to remember where their car keys are, let alone remembering a password that looks like something that was dropped on a keyboard. So, what do we do if we can't remember something? We write it down, we tell our friends in case we forget, and we don't change it! This password that started out as a strong form of authentication is now an open secret stuck with a Post-it note on our monitor!

Users do many wrong things with passwords because their passwords are not convenient to remember. Users will write their passwords down on sticky notes on the sides of their monitors . They will even write their passwords and user IDs on their keyboards!

So, it seems that forcing strong passwords on users actually backfires and, in fact, ends up decreasing security. If a user was provided with a simpler password policy, that would weaken the strength of the password. It should, however, provide an easier password for the user to remember.

A weak password policy has the following characteristics:

  • The password is short in length.

  • Characters of different cases need to be used in the password.

  • No numeric or non- alphanumeric characters need to be used in the password.

  • Characters may be repeated many times.

  • The user never has to change the password.

  • The password may be composed of character strings from the username, company name, or something easily guessed.

As you can see, a user should really have an easy time thinking of a password that can be remembered, especially if the user has used a simple password policy. What we forget is that users are human. So, in typical human fashion, they still write passwords down, they share passwords because they are simplified, and they do not change passwords because they can finally remember them!

The much-maligned password does have its place, however. The applicability of a password is more a factor of what is being protected. If I want to restrict access to my address book, a password may be sufficient. If it is compromised, the entries could be changed or exposed with little harm. On the other hand, a critical system protected with a password makes as much sense as picking the word "password" for access.

Passwords seem to provide a paradox. No matter what password policy we choose, the "Barbarians at the gate" could still get in. Maybe passwords do point us in the direction of better factors of authentication. It seems that the biggest obstacle to users using strong passwords is the inconvenience of the password itself. Therefore, the more convenient the authentication method used, the stronger we can make it. This in itself seems impossible . Normally, as user convenience increases , the strength of authentication decreases. The perfect example is the password. If other technologies could be found to give us increased user convenience and increased security at the same time, then we would have the best of both worlds .

 <  Day Day Up  >  

Previous page
Table of content
Next page
Biometrics for Network Security
Biometrics for Network Security (Prentice Hall Series in Computer Networking and Distributed)
ISBN: 0131015494
EAN: 2147483647
Year: 2003
Pages: 123
Authors: Paul Reid
BUY ON AMAZON
Introduction to 80x86 Assembly Language and Computer Architecture
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
101 Microsoft Visual Basic .NET Applications
Special Edition Using Crystal Reports 10
Microsoft WSH and VBScript Programming for the Absolute Beginner
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy