We all know the threat: cybercrooks want to invade your organization’s servers
to steal company data, employees, and who knows what else. That’s old news.
What’s new is that the conventional thinking about the user IDs and passwords
we use to protect ourselves may be making the criminals’ job easier. Tech Republic’s Michael Kassner reviews the findings of Do
Strong Web Passwords Accomplish Anything? by security experts Cormac
Herley, Dinei Florencio, and Baris Coskun.
The basic premise is that typical methods of phishing,
keylogging, and brute-force attacks are more powerful than our usual attempts
to prevent them. Based on mathematical reasoning
that’s fairly easy to follow, their bottom line is we need to think differently about user
IDs and passwords. Simply changing them often isn’t enough. A better solution:
Increasing the number
of password bits is not recommended. Besides, users have enough trouble
remembering simple passwords. So why not increase the size of the user ID
instead? Doing so will obtain the same results. Messing with the number of bits
in the user ID instead of the password has another huge advantage. Ready for
this, user ID’s do not need to be kept secret. The user ID can be displayed for
everyone to see. A cybercriminal would be hard pressed to gather everyone’s
user ID from sticky notes stuck to monitors. Use short, simple passwords with
longer user IDs. Doing so reduces the chance of a successful login-credential
attack, and makes it easier for the user.
Do you agree? It’s a touchy topic,
and opinions are sure to be strong and varied.
— Don Willmott