Sunday, September 05, 2010

Password security is getting a new look: sometimes less is more

Randall Stross has an interesting piece on p 3 of Business Day of the Sunday New York Times, “A strong password isn’t the strongest security”, link here.

Indeed, the requirements to have so much randomness in passwords (as with companies that run password crackers, as did mine back in 2001) does lead people to write them down and save them, undermining security.

In fact, password security becomes irrelevant once a machine is infected with “real” spyware or keyloggers.

At the other end of the security spectrum, Stross points out that even weak passwords can’t easily be guessed in just a few tries. However, most companies (and indeed, particularly, most school campuses) do not lock people out for a long time after a few unsuccessful logon attempts because enemies (or students with bad grades) could disrupt legitimate use of peoples’ accounts.

A good compromise on password strength policy is to allow shorter, weaker passwords but only those that occur at a lower that statistically significant level.

No comments: