Better Passwords Don't Make Us Secure: Best Practices Advice

Thursday, June 14, 2012

Marc Quibell


I've been reading other posts about LinkedIn, the passwords database dump and the pundits out here and there saying things like "use longer, complex passwords" or "passwords are dead, use passphrases".  

Can I ask you folks...How effective is it to do something different to avoid something... after the fact?

For example, let's say I'm crossing the street, I step over the curb, not watching to my left for traffic and I get run over. I think it's kind of late to be offering me advice on how to cross the street!

But let's say I survive, and I cross the street again (this time maybe I'm wheeling across), and I look to the left first (people tend to learn by their mistakes... sometimes), I start crossing again when it's safe - but then *BAM* I get hit by traffic from the other side when I get over there.

So now I'm thinking "well why didn't they tell me about that other side?"  The moral of the story is, telling me how to do things after the damage is already done is useless information - and- trying to mitigate risks - one step at a time is also useless information. And finally, tunnel-vision security advice is also useless information.   

You don't tell people to only use ridiculously complex or long passwords to mitigate ONE risk, or one risk at a time. No matter how long or complex a password is, it's still vulnerable to keystroke loggers, for example. People are still at risk and we will always be at risk when it comes to using passwords.

If you want to be more secure, then consider multi-factor authentication. End of discussion.  Look people, security is not supposed to be a PITA!

What's going to happen when you make passwords so complex, even you can't remember them? Next thing you know, people are writing them down, or using guessable password combinations.   

People will refuse to use services that become too difficult to use. You see, passwords are only one form of authentication, and passwords are generally used to access general public sites that users casually use. As opposed to say... banking sites.  

Infosec people have forgotten a golden rule when it comes to users: KISS (Keep It Simple Stupid). Ask yourselves why LinkedIn didn't have a complex or lengthy password policy? Maybe it's because they wanted to make it easy for people to use? What successful website has a complex password policy? How many sites have a password changing policy every x number of days?! People will not come!   

In a Capitalist society, businesses have to attract and keep people coming, and you can't do that by making it more difficult to access those services. This is how the business model works.

And businesses would certainly NOT put the onus on users, in this case where it was the BUSINESS'S passwords that were stolen. Why should users change their password habits due to an event that wasn't their fault? The security onus in this case is on the entity responsible for securing your information.

BUT, there is an onus on the user as well to secure their identity, so be sure you do your part because it is very easy for someone to steal your credentials from your computer. Think of it, generally speaking here, as a partnership of security awareness.  

Users need to be sure their identity is secure, and businesses need to be sure they secure that identity, as well as the information they have stored for you.  

Here's some general advice I can give to users that is not dependent upon any recent event - but it IS relevant to our current state of general Internet use:  

  • Try to have a password that is at least 8 characters, maybe contains a number or a capital
  • Try to use different passwords for different sites and if you don't, change your password periodically
  • If you use a site that has anything to do with financial information, be sure there is a 3rd factor of authentication option available and use it! (some sites have a 3rd factor built into the site that you may not see or realize). Do a little research. For example, Paypal allows you to have a pin sent to your cell phone that you have to use to log in. I would recommend you using that option. It has worked great for me for many years.
  • PROTECT your computer with good anti-virus, anti-malware programs. You as a user have a responsibility to secure your computer, and don't take this task lightly. Spend money!
  • Scan your machine for malicious software at least twice weekly
  • Please stay away from bad sites. If you go to a site where you can download illegal software, use torrent, visit dirty sites, etc... you're just asking to be pwned
  • And finally, don't be fooled by the emails asking you for information. Don't even open emails where you don't know the sender

In today's Internet, it's not about better passwords, because passwords are another weak, vulnerable form of authentication. You can make it longer, more complex... whatever, but it doesn't change the fact that it's still weak and vulnerable.

It's about keeping your identity safe and secure and about companies doing their part to secure your information. Practice safe computing and you'll be fine, or at least you will lower your risks.

Possibly Related Articles:
Network Access Control
Information Security
Passwords Authentication Security Awareness Access Control Attacks Information Security online safety Passphrases
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.