Password Fatigue

By: (CISSP, CISA)

Publication: The Kansas Banker , September 2014

Kansas Banker Magazine September 2014 Fifteen years ago some of the hot topics in the information security community were the implementation of smart cards and biometrics for authentication. The purpose of these security tools (at least partially) was to replace passwords with something we don’t have to remember. Over time, neither of these solutions have proven to pan out for the majority of us as methods to replace passwords. Granted, both methods saw limited implementations, but the masses likely have never used these technologies or use them in limited fashion.

Today, we’re absolutely inundated with passwords, in our business and personal lives. The advancement of the Internet and social media has vastly compounded this problem. The number of passwords we must remember has exploded, leaving all of us to deal with the complexity of it all. As an information security professional, I frequently get asked, “How are we supposed to remember all of these passwords when we’re not supposed to use the same password for all our requirements and we’re required to use a complex password?” Before answering, I typically commiserate with the anguish that dealing with passwords adds to our daily lives. I’m in the same boat, after all.

Unless you have an astounding memory or you use a ridiculously simple password for all your logins, you’ll likely need some help in managing your myriad of user-IDs and passwords. Over the last several years a number of software applications have come about to help us with password management. Some are free and others require a paid license. The ever helpful Wiki website provides a short list of commonly used applications at:http://en.wikipedia.org/wiki/List_of_password_managers.

I have personal experience with several of the products on this list, and I can vouch these tools can help reduce your password anguish. In addition to helping organize your passwords, some of the applications also offer password generation capability and can also integrate with the cloud. The really cool thing about password management tools is you only have to remember one password. That’s the password to open the application itself. Many of the applications are capable of automatically entering credentials for you, so you don’t have to remember them. I use this capability every day and know very few of my passwords. Some of the solutions also offer mobile applications, which can be really useful. I know that many people now use their mobile phones to store their passwords in various places, but that alone is really not a secure or practical solution. Using an application that safely encrypts and/or enters your passwords is a better solution. Mobile devices are lost or stolen all the time, thus putting your password information at risk.

To close, let’s finish with a short discussion on password complexity. I am continually asked, “How do I develop a strong password?” Since the majority of us work predominately in the Windows world, that’s what I’ll cover. A strong password is a combination of password length and mix of characters used in the password. To create a very strong password in Windows, a password length of 15 characters is recommended. This far surpasses many strong password recommendations, but advancements in password cracking technology and computing power necessitate this length. Obviously a password of 15 characters is going to be difficult to remember, so the usage of passphrases is recommended versus a jumbled mass of characters that none of us can remember…unless we write it down (which is where the password management tools come in). Many of you may have been trained not to use words in your password, but words can be used as long as they are separated by spaces and some level of number/letter substitution is used. For example, the passphrase “P@ssphrases are memorabl3.” would be an excellent passphrase to use. It’s easy to remember, lengthy and contains numbers, lower case letters, upper case letters, special characters and punctuation.

Looking over the horizon, I would expect password replacement solutions to make slow but steady progress. For now, we’re all stuck with passwords for the foreseeable future, so do your memory a favor and use a password management application, along with memorable passphrases, to reduce password weariness.

Byline

Mark Faske is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com.