One of the members of the Master Mind Security Panel during the ITEC show in Charlotte, Dan Colby, made a great point. Basically, he said “quit using passwords.”
Colby is president and CEO of Pinstripe, an application development and consulting company in Charlotte. They provide all the IT services for many area SMBs, including security.
What will replace passwords? Passphrases. Let me quote Colby from an e-mail he sent me about this security idea.
“Passphrases have become the preferred method for password-protecting end user devices. The concept is simple. It is much easier to remember, ‘Let the force be with you’ than it is to remember “!PS12Na#” and the passphrase is often more secure. The longer the passphrase, the more secure it is.”
For tips on creating better passwords, click here.
For strategies on how to manage multiple Web IDs, click here.
While Colby said “end user devices” I think passphrases work with devices with good keyboards, like desktop and laptop computers. Smartphones may have keyboards, but few companies can really enforce the use of a decent password on handheld devices, much less a passphrase.
Security experts agree with Colby about the value of passphrases. The longer the password, or passphrase, the more time and computer power needed to hack it. Companies demand bizarre passwords like “!PS12Na#” to increase the difficulty level of hacking the password. Real people, however resort to what Colby calls the “Post-It note effect” of passwords stuck to monitors. Advanced users have learned to take those passwords off their monitors and hide them under their keyboards. Oops, I just ruined the security plans for one of every three users in many companies.
Administrators must configure security applications to accept longer passwords so passphrases work. Many applications also demand upper and lower case letters, at least one number, and at least one symbol. Hence the impossible-to-remember password “!PS12Na#” provided by Colby.
Check all your password hungry applications and operating systems, including local computers, servers, and online systems. Supporting passphrases in three of four locations doesn’t help. This technique must truly be all or none to work properly.
Independent security experts say to configure password fields to accept between 15 and 128 characters. 15 characters as a minimum pushes the password into passphrase territory automatically. Microsoft, however, limits password fields to 127 characters in Active Directory, and therefor Exchange. But 127 should work for almost every passphrase.
The need to constantly change passwords creates problems, but with passphrases it’s easier. Here’s Colby again.
“Keep in mind, when you go to a passphrase approach, you can also more easily govern the regular changing of passwords. If I have to remember “!PS12Na#” and then next month remember “90dc$U@” I am going to go nuts, whereas changing my password from “My favorite baseball team is the Yankees” to “My favorite football team is the Panthers” is no big deal.”
For those users stuck with outmoded systems, or outmoded security administrators, you can still use a passphrase to help you deal with short and confusing passwords, at least if they let you devise your own. The line about the Yankees becomes MfbtitY, including upper and lower case letters. If you must add numbers, through a number inside the password or at the end. It may not work with ‘My favorite baseball team is the Yankees’ but it works with “Call b4 you come over tonight” and “My favorite rock group is U2.”
If your company supports remote users logging in to a Web application like a browser-based e-mail client, test this carefully with every browser supported. Some browsers, and some Web relay devices, block or modify some unicode characters like symbols and spaces. If that happens to your users, they won’t be able to log in over the Web. Then they will be in a bad mood when they call you for help.
Don’t force non-company users to adopt a passphrase by requiring longer passwords. Many users have a single non-critical password they use for various Web sign-in forms. No one can remember 100 different passwords for different sites, but you can certainly use “2-Stupid” for a password in 100 different places.
Nothing is foolproof, of course, when dealing with users. If you set a limit of three password attempts before locking the system, fumble fingered typists will have problems. Weirdly, the worst typists pick the longest phrases, perhaps to give themselves more chances to hit double keys or forget where they are in the passphrase and start hitting the backspace key. You will not completely eliminate your support calls by moving from passwords to passphrases.
That said, supporting passphrases, even those like “Passwords are stupid,” will cut down on user mistakes and increase your password defense against hacking.
You’ll be amazed at how many people can’t remember eight characters but can remember 45 characters if they choose them, like “Help! I need somebody, Help! Not just anybody.” Just ask them not to sing their passphrase.