One of the most important things to remember about security is that it is a process, not a product.\u00a0 All too often, people think of security as a specific problem with a specific solution.\u00a0 Unfortunately for us, security (in almost any context) is a moving target.\u00a0 What was a strong password yesterday is weak today.\u00a0 There are good reasons to require users to change their passwords, but it’s only part of the solution.\u00a0 Forcing user’s to change their password too often invariably results in weaker passwords that are easier to remember.<\/p>\n
To understand why this is a problem we first need to define what a strong password is and what makes one weak.\u00a0 Numeric passwords are the worst as there are only 10^N possibilities where N is the number of characters.\u00a0 Using letters is a little better as that’s 26^N for english.\u00a0 Using both upper and lower case gives you 52^N, while a full alphanumeric set gives you 62^N.\u00a0 Use of a full alphanumeric characterset on passwords 8-characters and higher was considered strong enough until recently.\u00a0 After all, 218 trillion possibilities seems pretty large doesn’t it?\u00a0 Considering some of today’s high-end graphics cards can perform over 2 trillion floating point operations per-second, breaking even a completely random 8-character alphanumeric password is trivial.\u00a0 Adding the full set of special characters\u00a0\u00a0 on most english keyboards yields an additional 30 characters for 92^N or 5 quadrillion possibilities for an 8-character password.<\/p>\n
You’re probably noticing a problem; we’re out of usable characters.\u00a0 From this point on, the only way to increase password security is to make them longer and longer.\u00a0 Obviously we can only keep up with this for so long before technology overtakes our ability to remember a secure password.\u00a0 Clearly simple password-based security is insufficient for protecting anything of real value.\u00a0 What’s needed is a multifactor system that uses 2 or more separate components to authenticate a user’s credentials.<\/p>\n
A multifactor authentication system could be as simple as the combination of a password and a physical token such as a smartcard.\u00a0 To authenticate, the user must insert the smartcard and type his or her password.\u00a0 Either factor by itself will be rejected.\u00a0 The beauty of this system is that any data protected in this way is inaccessible without each piece of the authentication puzzle.<\/p>\n
A system is only as secure as its weakest link.\u00a0 In many cases we humans are unfortunately that link.\u00a0 We have limited memory and are vulnerable to social engineering attacks that get us to reveal sensitive information to complete strangers.\u00a0 A strong password is useless if a user gives that password away or writes it down.\u00a0 Adding a unique physical component to the equation raises the level of difficulty for an attacker significantly.<\/p>\n","protected":false},"excerpt":{"rendered":"
One of the most important things to remember about security is that it is a process, not a product.\u00a0 All too often, people think of security as a specific problem with a specific solution.\u00a0 Unfortunately for us, security (in almost … Continue reading