Protecting Password Protection

We all know the threat: cybercrooks want to invade your organization's servers to steal company data, employees, and who knows what else. That's old news. What's new is that the conventional thinking about the user IDs and passwords we use to protect ourselves may be making the criminals' job easier. Tech Republic's Michael Kassner reviews the findings of Do Strong Web Passwords Accomplish Anything? by security experts Cormac Herley, Dinei Florencio, and Baris Coskun.

Protecting Password Protection The basic premise is that typical methods of phishing, keylogging, and brute-force attacks are more powerful than our usual attempts to prevent them. Based on mathematical reasoning that's fairly easy to follow, their bottom line is we need to think differently about user IDs and passwords. Simply changing them often isn't enough. A better solution: longer IDs.

Increasing the number of password bits is not recommended. Besides, users have enough trouble remembering simple passwords. So why not increase the size of the user ID instead? Doing so will obtain the same results. Messing with the number of bits in the user ID instead of the password has another huge advantage. Ready for this, user ID's do not need to be kept secret. The user ID can be displayed for everyone to see. A cybercriminal would be hard pressed to gather everyone's user ID from sticky notes stuck to monitors. Use short, simple passwords with longer user IDs. Doing so reduces the chance of a successful login-credential attack, and makes it easier for the user.

Do you agree? It's a touchy topic, and opinions are sure to be strong and varied.

-- Don Willmott

The basic premise is that typical methods of phishing, keylogging, and brute-force attacks are more powerful than our usual attempts to prevent them. Based on mathematical reasoning that's fairly easy to follow, their bottom line is we need to think differently about user IDs and passwords. Simply changing them often isn't enough. A better solution: longer IDs.

Increasing the number of password bits is not recommended. Besides, users have enough trouble remembering simple passwords. So why not increase the size of the user ID instead? Doing so will obtain the same results. Messing with the number of bits in the user ID instead of the password has another huge advantage. Ready for this, user ID's do not need to be kept secret. The user ID can be displayed for everyone to see. A cybercriminal would be hard pressed to gather everyone's user ID from sticky notes stuck to monitors. Use short, simple passwords with longer user IDs. Doing so reduces the chance of a successful login-credential attack, and makes it easier for the user.

Do you agree? It's a touchy topic, and opinions are sure to be strong and varied.

-- Don Willmott

Protecting Password Protection

Protecting Password Protection

Dice Staff