Previous Page  25 / 28 Next Page
Information
Show Menu
Previous Page 25 / 28 Next Page
Page Background

September 2014

25

l e a d i n g

a d v o c a t e

f o r

t h e

b a n k i n g

i n d u s t r y

i n

k a n s a s

PASSWORD FATIGUE

By Mark Faske, CoNetrix

F

IFTEEN YEARS AGO SOME OF THE HOT

topics in the information security community were

the implementation of smart cards and biometrics for

authentication. The purpose of these security tools

(at least partially) was to replace passwords with

something we don’t have to remember. Over time, neither of

these solutions have proven to pan out for the majority of us

as methods to replace passwords. Granted, both methods saw

limited implementations, but the masses likely have never used

these technologies or use them in limited fashion.

Today, we’re absolutely inundated with passwords, in our

business and personal lives. The advancement of the Internet

and social media has vastly compounded this problem. The

number of passwords we must remember has exploded, leaving

all of us to deal with the complexity of it all. As an information

security professional, I frequently get asked, “How are we

supposed to remember all of these passwords when we’re not

supposed to use the same password for all our requirements and

we’re required to use a complex password?” Before answering,

I typically commiserate with the anguish that dealing with

passwords adds to our daily lives. I’m in the same boat, after

all.

Unless you have an astounding memory or you use a

ridiculously simple password for all your logins, you’ll

likely need some help in managing your myriad of user-

IDs and passwords. Over the last several years a number

of software applications have come about to help us with

password management. Some are free and others require a paid

license. The ever helpful Wiki website provides a short list of

commonly used applications at:

http://goo.gl/XK7Pyh.

I have personal experience with several of the products on this

list, and I can vouch these tools can help reduce your password

anguish. In addition to helping organize your passwords,

some of the applications also offer password generation

capability and can also integrate with the cloud. The really

cool thing about password management tools is you only have

to remember one password. That’s the password to open the

application itself. Many of the applications are capable of

automatically entering credentials for you, so you don’t have to

remember them. I use this capability every day and know very

few of my passwords. Some of the solutions also offer mobile

applications, which can be really

useful. I know that many people now use

their mobile phones to store their passwords

in various places, but that alone is really not a

secure or practical solution. Using an application

that safely encrypts and/or enters your passwords is a

better solution. Mobile devices are lost or stolen all the

time, thus putting your password information at risk.

To close, let’s finish with a short discussion on password

complexity. I am continually asked, “How do I develop

a strong password?” Since the majority of us work

predominately in the Windows world, that’s what I’ll cover.

A strong password is a combination of password length and

mix of characters used in the password. To create a very strong

password in Windows, a password length of 15 characters

is recommended. This far surpasses many strong password

recommendations, but advancements in password cracking

technology and computing power necessitate this length.

Obviously a password of 15 characters is going to be difficult

to remember, so the usage of passphrases is recommended

versus a jumbled mass of characters that none of us can

remember…unless we write it down (which is where the

password management tools come in). Many of you may have

been trained not to use words in your password, but words

can be used as long as they are separated by spaces and some

level of number/letter substitution is used. For example, the

passphrase “P@ssphrases are memorabl3.” would be an

excellent passphrase to use. It’s easy to remember, lengthy and

contains numbers, lower case letters, upper case letters, special

characters and punctuation.

Looking over the horizon, I would expect password

replacement solutions to make slow but steady progress. For

now, we’re all stuck with passwords for the foreseeable future,

so do your memory a favor and use a password management

application, along with memorable passphrases, to reduce

password weariness.

Mark Faske is a Security and Compliance Consultant for CoNetrix. CoNetrix

is a provider of information security consulting, IT/GLBA audits and security

testing, and tandem – a security and compliance software suite designed

to help financial institutions create and maintain their Information Security

Program. Visit our website at

www.conetrix.com.