How to Keep Passwords Secure

Every 90 days, the CSO at my company forces everyone to change their passwords for e-mail access. If we don’t make the change, we don’t get e-mail. Like any good CSO, he requires strong passwords, so users must come up with an eight-character minimum phrase with at least one number. I pop that new password into my e-mail program and BlackBerry and then forget it for another 90 days. The problem is that in 90 days, I need to remember what it was before I can change it again. Like many employees, I take the easy way out and write it down.

The requirement of strong passwords and the requirement to change those strong passwords is now a common feature of IT security. They address two potential vulnerabilities in an IT security system. Strong passwords make it harder to hack into the system by guessing, either manually or using an automated program. Changing the password prevents an authorized user who has compromised a current password from continuing to use it. Unfortunately, these security measures create an even more glaring vulnerability: the password written on the back of the mouse pad, scrawled in a desk drawer or in the back of a Filofax. When this happens, your company’s security is only as strong as the hiring process for your office cleaners. Chances are they did not go through a full background check.

Because I work at a company that does a measure of IT security consulting, I take a reasonable number of steps to prevent my password from being discovered. It is not actually written down but stored in my computer’s address book. My computer is password protected with a very strong password (all the bells and whistles: more than 10 digits, odd capitalization, numbers and symbols), and the home folder on my computer is encrypted. Since I have control of my computer’s admin functions, I never change the password and have it memorized. Chances are my e-mail password is safe. One of my colleagues goes a step further and writes down his passwords only on his encrypted and password-protected computer in a code he has developed. Few people care this much about security, and most probably do scrawl their passwords on the back of the mouse pad.

Fixing this problem requires a new paradigm for security, one that takes a holistic or (to use a less “soft” term) a synoptic view of security. Realizing that hackers manipulating 1s and 0s is not the only way critical data can be compromised is the first step. Physical security still matters, and there are trade-offs to be made between the two realms. If the last thing you want is a custodian to be able to find a password and gain access to critical data by flipping over the mouse pad, don’t set the bar so high for memorizing it. “Cathy123” is exponentially stronger than “zyG0te17!#flame?” if the latter can be found by rummaging around a cubicle. If someone has compromised a password, changing it within the next 90 days is a fairly crude form of security.

A better option is to move to two-factor authentication where logging on requires knowing something (your password) and having something (a biometric identifier or a physical key). RSA is marketing its digital tokens for just such purposes. If logging on requires having the token in addition to knowing a password, possessing the password alone is worthless. There are other technologies on the market that also deal with this threat much more intelligently. For many small businesses, however, the cost or difficulty of employing them is too high. Balance suggests that keeping passwords securely stored in human memory will reduce the risk of unauthorized access more than frequently changing them.

Rob Knake is a senior associate at Good Harbor Consulting LLC, a homeland and cybersecurity consulting firm in Arlington, Va. He can be reached at rob@goodharbor.net.