< Day Day Up > |
This refers to anything that needs to be remembered to prove your identity. The information remembered could be of the following types:
Passwords are the most frequently used forms of authentication. Passwords are used to authenticate you with information that only you know. If you supply a computer with the proper password, it authenticates you as a user . Passwords, however, have the following problems: They can be stolen, written down in easily accessible locations, shared, or guessed. To strengthen passwords, they are normally implemented with a supporting policy. Sharing passwords, writing them down, or not changing them frequently violates most password policies. Automated methods can be used to enforce a password policy. The number of days between password changes and the strength of a password can be enforced through an operating system or an application that supports a strong password policy. A strong password policy would include rules like the following:
As you can see, a good password is not easy to remember and is difficult to devise . Most people have a hard enough time trying to remember where their car keys are, let alone remembering a password that looks like something that was dropped on a keyboard. So, what do we do if we can't remember something? We write it down, we tell our friends in case we forget, and we don't change it! This password that started out as a strong form of authentication is now an open secret stuck with a Post-it note on our monitor! Users do many wrong things with passwords because their passwords are not convenient to remember. Users will write their passwords down on sticky notes on the sides of their monitors . They will even write their passwords and user IDs on their keyboards! So, it seems that forcing strong passwords on users actually backfires and, in fact, ends up decreasing security. If a user was provided with a simpler password policy, that would weaken the strength of the password. It should, however, provide an easier password for the user to remember. A weak password policy has the following characteristics:
As you can see, a user should really have an easy time thinking of a password that can be remembered, especially if the user has used a simple password policy. What we forget is that users are human. So, in typical human fashion, they still write passwords down, they share passwords because they are simplified, and they do not change passwords because they can finally remember them! The much-maligned password does have its place, however. The applicability of a password is more a factor of what is being protected. If I want to restrict access to my address book, a password may be sufficient. If it is compromised, the entries could be changed or exposed with little harm. On the other hand, a critical system protected with a password makes as much sense as picking the word "password" for access. Passwords seem to provide a paradox. No matter what password policy we choose, the "Barbarians at the gate" could still get in. Maybe passwords do point us in the direction of better factors of authentication. It seems that the biggest obstacle to users using strong passwords is the inconvenience of the password itself. Therefore, the more convenient the authentication method used, the stronger we can make it. This in itself seems impossible . Normally, as user convenience increases , the strength of authentication decreases. The perfect example is the password. If other technologies could be found to give us increased user convenience and increased security at the same time, then we would have the best of both worlds . |
< Day Day Up > |