The Fine Art of Password Protection

Passwords are both the universal language for network navigation and the weakest link in network security, as fraught with peril as they are essential.

Experts say that because they are so closely linked to the ever-fallible human element, passwords cause the most headaches of any security mechanism. However, any enterprise, large or small, can take steps to minimize risk without resorting to cutting-edge and costly technologies like biometrics.

“The fact is that most people don’t take the basic steps to protect their passwords, like changing them, so if passwords are a last line of defense, a network administrator has to take it upon himself to make sure it happens,” Gartner vice president John Pescatore told the E-Commerce Times.

Security experts have long advocated forcing employees to reset passwords every quarter or even more often, especially if they are accessing sensitive data. However, passwords are already notorious at IT help desks, where lost passwords or locked-out employees absorb a considerable amount of valuable support staff time. More frequent password changes likely would increase the proportion of such calls.

Policy Is Paramount

The first step should always be to establish a password policy, with clear guidelines detailing how they should be chosen, how often they should be changed and how to keep them secret.

“A lot of enterprises leave it up to the employee,” Pescatore said. However, doing so is often a risk, since most knowledge workers have a half-dozen or more passwords to remember. Faced with this potentially complicated situation, many users choose to make all of their passwords the same.

“If you don’t require someone to diversify their passwords, why should they?” Pescatore noted.

Human Weakness

Another aspect of password security is social engineering. Few things make hackers happier than convincing users to reveal their passwords simply by asking.

For instance, a hacker who pled guilty to charges he diverted traffic intended for Al-Jazeera’s English-language website during the Iraq war says he was able to do so by simply calling Al-Jazeera’s U.S. network provider and posing as an employee. Before long, he had the passwords he needed.

“People are always a weak link, and study after study shows they will give up passwords if asked in the right way,” said M.E. Kabay, program director in information assurance at Norwich University in Northfield, Vermont. “By having clear policies and taking steps to enforce them, you at least give yourself a chance.”

Making matters worse, so-called social engineering tricks used to glean passwords are not necessarily complicated. During a recent European trade show, organizers convinced 90 percent of office workers traveling through a London tube station to reveal their computer passwords. Their social engineering consisted of including the question at the end of a long list of seemingly harmless queries.

Crack This

Even if passwords are not revealed willingly, hackers still can crack them. AT&T recently warned its business customers about a scam in which hackers were guessing passwords that protected voice-mail systems, then using them to run up costly long-distance bills. The hackers could do this because many customers still were using the default password they had received with their accounts.

Pescatore said many users are guilty of using too-common passwords, justifying the practice by saying they are easy to use and remember.

However, passwords are here to stay, at least for the foreseeable future, even though Gartner believes use of smart cards or other methods that require two proofs of identity will increase. Indeed, the rise of password-saving programs like Microsoft’s Passport has raised new security concerns.

“The shortcuts around remembering and entering passwords are problematic themselves,” Pescatore noted.

Incentive Offered

If an enterprise needs more incentive to tighten its use of passwords, both courts and lawmakers are glad to oblige. A California law now in effect mandates that companies disclose all database breaches that result in exposure of private information, whether or not that data is stolen or misused. Moreover, lawyers are closely monitoring the landscape to see how much responsibility enterprises will bear if they are hacked.

“End users who argue that a vendor supplied a weakly secured product are going to have to answer a lot of questions about how often they changed passwords or took other precautions,” attorney Michael Overly of Los Angeles-based law firm Foley & Lardner told the E-Commerce Times. “The courts are going to work through that question of who ultimately has responsibility.”