Password creation policies are the enemy of secure passphrases

Commenting on reports that a security developer has concluded that password-creation policies are the enemy of secure passwords, SecurEnvoy co-founder Steve Watts says that the fundamental issue is that conventional ID/password security is now coming to the end of the line as far as security is concerned. The reasons for this are actually more complex that Cameron Morris, the security developer notes. “This isn’t to say that Cameron is wrong – far from it – it’s just that the reasons why passwords are coming to the end of the line in today’s online environment are multi-faceted, with company password policies being only one issue of concern,” he said.

“One of the other major issues we have observed is that people have great difficulty remembering more complex passwords than the six or eight alphabetic strings that most Internet users rely on. Because of this, they fall back on an eight digit passphrase that is usually a family member’s name or place of birth, and which – unfortunately – are all too easy to hack using brute force password attacks,” he added.

The problem with corporate password policies is that they often force users to create complex passwords with a mixture of letters and numbers, with at least one of the letters being upper case.

The nett result of this is that users end up with a relatively complex passphrase that is difficult to remember and often results in the employee storing the passphrase on their mobile phone as an ‘aide memoir’ or – perhaps worse – writing it on a yellow sticky note which is then placed on their desktop monitor.

This is the real issue that Cameron has picked up on: making passwords too complex means that the average user takes an easy option to help them remember it when they want to log on.

Watts explained that it is this experience that has pushed many organizations to go down the hardware authentication token path, forcing employees to tote the hardware token with them – perhaps on their key ring or in their purse.

A far easier option is to go down the tokenless 2FA security route, using an employee’s mobile phone as the medium for authentication. Tokenless 2FA can also be completely reconfigured by the IT helpdesk in real time, rather than having to wait for a member of staff to be sent a new hardware token.

More: http://www.net-security.org/secworld.php?id=12956