Should you be writing down your passwords? Conventional IT training says - "No, forget about the yellow sticky next to your monitor!" However, new research shows that if people are not writing down their passwords, they are more likely to use the same password over and over for different accounts, and also are more likely to use a simple, easy to remember password.

The solution - come up with different and complex passwords, and write them down. And of course, not on the yellow sticky note next to your computer monitor.

“How many have (a) password policy that says under penalty of death you
shall not write down your password?” asked Johansson, to which the
majority of attendees raised their hands in agreement. “I claim that is
absolutely wrong. I claim that password policy should say you should
write down your password. I have 68 different passwords. If I am not
allowed to write any of them down, guess what I am going to do? I am
going to use the same password on every one of them.”

[Via InTech, NC -]

Interesting editorial by Jon Oltsik about the renewed interest in enterprise access control systems. Jon’s point is well taken - if you do business with suppliers, contractors, offshore workers, and customers, you should have in place a system allowing access to electronic resources based on the user’s needs. No longer is a single username and password giving access to the whole resource acceptable.

If you want to let outsiders–that is, customers, offshore developers,
suppliers and so on–use applications to boost productivity, you had
better know who they are, define what they can do and watch every move
they make.

[Via CNET News.com -]

Can Microsoft pull it this time? Not long after pulling the plug on its Passport digital ID system which promised single ID for all users, Microsoft is in another digital ID project. Although there is not much detail at this point, the new digital ID plan is not about creating an infrastructure to hold separate IDs, similar to Passport, instead it will try to create a single meta directory which will allow interface and compatibility between various other systems.

The resulting improvements in cyberspace would benefit everyone,
making the Internet a safer place with the potential to boost
e-commerce, combat phishing, and solve other digital identity
challenges.

Essentially, Microsoft will try to standardize the interfaces to many
other digital ID systems, thus allowing communication to an
authentication system using standardized protocol. Nice idea, but for
proper implementation Microsoft will need to secure cooperation of the
major ID providers.

[Via eWeek, MA -]

A great editorial by Larry Seltzer listing 10 laws for computer security. Among my favorites,

Law No. 1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
..
Law No. 5: Weak passwords trump strong security.
..
Law No. 7: Encrypted data is only as secure as the decryption key.

Very interesting read!

[Via eWeek -]

T-Mobile’s voicemail is apparently vulnerable to a very simple hack that would expose all of your stored messages to an attacker. .

Since the announcement of commercial caller ID spoofing systems such as
CovertCall and another called TeleSpoof. For those not in-the-know,
caller ID spoofing allows you to change your caller ID number to
anything you like. This is extremely vulnerable and make sure you turn
off auto login enabled. This is probably how they hacked into Paris
Hilton’s voicemail.

Moral - disable your auto login if you use T-Mobile and you value your voicemail messages. [Via Daves iPaq, NJ -]

Washington Post (free registration required) has an interesting article about a new approach towards password security. The article focuses on the efforts of a local DC company to create authentication procedures based on users clicking on series of photos of human faces in order to gain access to a protected online resource.

The Problem

One of the weakest links in an online security system is the user, and his or her ability to remember the assigned password without writing it on a sticky note and putting it next to the monitor, or without the user picking the same password for their bank as they use for their email, or even for registering for various legitimate and not-so-legitimate web sites. By using the same password in different contexts, all accounts become vulnerable to a breach of the password in any one of the accounts. For example, if you use the same password for your online banking, email, and to provide to various sites requiring registration, then if a breach occurs in any of these sites (let’s say an insecure bulletin board website), then the attackers would have access to your email, online banking, and all other websites which have the ability to send you your ‘forgotten password’ to your email address. Enough said - the passwords are a problem.

Faces as Passwords

The idea of having users click through series of photos by recognizing a particular photo is interesting. The idea is that instead of having to remember a text password, users would have to remember a number and sequence of faces, depending on the level of security desired. Then the authentication system will present a number of faces allowing the user to click on one of them. The next level would present another set of photos and so on until the user successfully clicks on the correct photo on all levels.

The idea behind this new method of authentication is that users have problems remembering long passwords while the human brain is much more likely to successfully remember a face or series of faces. Because the brain has a natural ability to recognize a face, the system only requires the user to recognize a face, and not to identify it, this relying on the natural ability of the brain.

The system solves many of the problems of the current password-based authentication - passwords are forgettable, users are likely to share them, write them down, reuse them. Many users are even tricked by phishing sites to enter their password. All of this is eliminated by the new face recognition authentication system. However, it comes with its problems too.

First, one of the major problems with the new system is that it would require organizations to spend substantial amounts of money to retrofit their authentication systems and to educate their users. In a large organization or a website with thousands of customers, this would be a problem.

Second, although the brain is much more likely to remember a face, there will still be people who "forgot" their "face-password" and this is likely to increase the maintenance costs - to reset the photo sequence, etc. The familiar feature "email forgotten password" is not likely to work well.

Third, privacy and secrecy may be compromised by "shoulder surfers" who will now be able to follow the screen prompts to "remember" somebody else’s face recognition. Although there could be technological solutions to this problem, such as enabling users to key-in their selection, instead of clicking on the screen, this is still likely to be a problem and needs to be addressed.

Bottom Line

Excellent idea. "PassFace" or its functional equivalent will inevitably reduce the number of post-in notes hanging on monitors listing important passwords. This system will make computer security as general more reliable, but there are still issues that need to be addressed before this can go mainstream. Also, user education and system transformation costs are likely to be prohibitively high for some organizations.

Microsoft and its chairman are apparently trying to steer the security focus in a different direction - the passwords. Bill Gates has recently argued that weak passwords are one of the main security threats and that biometric or smart-card authentication should be adopted more and more widely.

Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this,” Gates told attendees at the IT Forum in Denmark last month. “In time, we will completely replace passwords.

While Gates is probably on the right track [again] as it comes to vision, I am not sure that at this day of extreme server and client application insecurity, we need to shift our focus elsewhere. I believe that while we should seek and adopt alternative ways to authenticate users, especially the ones who use ‘password’ as their password, but I believe the focus should still be on creating harder to penetrate operating systems, routers, and server applications. Although passwords are a very weak link in the chain of security, they are arguably not the weakest.

 Next entries »