Password policy19th Apr 2011
The biggest issue for computer security in the 21st century is identity as this will determine your access and that of your employees to your company information.
As a result maintaining an effective password and identity policy is the biggest challenge to a modern technology-based company.
With the continuing development of a mobile workforce and the predicted expansion in the use of the internet technology known as ‘the cloud’; using an effective means to give permission to the people that you want to access your information - while keeping out the people you do not want to have access - will become ever more crucial.
Password policy presents several challenges to an organisation.
The current advice suggests the frequent changing of passwords, the use of complex passwords or the creation of passwords using devices known as password generators.
But individuals choosing their own passwords will often use either personal information, or a combination of personal information to create a code that is memorable for them.
The disadvantage of this method is that basic research into an individual can normally obtain their password. Another disadvantage is that people who use memorable passwords will often use them for all of the services they use that need a password. So once a criminal discovers the password in one insecure domestic or e-tail system, can provide them with the passwords to a work-based system.
People also opt for ludicrously simple passwords that password cracking software is programmed to look for first.
However, if staff are forced to depart from this method and use complex passwords, or ones generated for them, they will often seek to store their passwords physically close to them.
According to police officers who investigate unauthorised access to computers, most passwords are stored within one metre of the PC.
Favourite places are on post-it notes stuck on the PC screen or put under the keyboard, or in notebooks or manuals.
This practice has has continued with mobile devices; passwords are often carried in wallets, bags or handbags alongside the device they are meant to protect.
As a result, within the next five years mobile phone producers and companies will start to move from the password-based systems that have existed to date, to systems that establish that you are who you say you are. .
These will require you to produce a range of information, including biometrics, before allowing you to access records and services related to personal accounts and work.
This enhanced security will protect mobile phones that will increasingly be loaded with digital cash and credit card sims so the phones can be used to physically pay for goods.
In 2011 several announcements by mobile phone companies reflected this trend, with new mobile phones beginning to incorporate ‘cash purses’ and credit cards and a technology known as ‘near field communications’. This allows them to make payments by passing them over a sensor.
According to Professor Josef Kittler, Director of the Centre for Speech, Vision and Facial Recognition at Surrey University, the aim of current research is to eradicate the need for passwords completely by establishing a person’s identity beyond doubt using biometric information.
‘We can use a synthesis of face and voice recognition and lip dynamics to establish someone’s identity. In a mobile phone environment this is proving very successful because the subject will actually hold the phone up to their face in a full frontal pose and the system knows that it is only looking for recognition on that one image,’ says Kittler, adding that the technology was already being rolled out by some mobile phone makers.
To secure the mobile phones, which in the case of cash purses have a digital cache of £100 of credit on them and in the case of credit cards will have a value up to the allowed limit, it is expected they will soon start to incorporate a biometric that could involve, voice, face and fingerprint recognition as well as a password.
This move to unique identity will also accelerate due to the predicted move to so-called cloud computing, as companies seek to achieve economies and efficiencies by cutting IT costs, concentrating on core business and becoming ever more mobile.
The deployment of this biometric technology is expected to be exploited by companies who believe that consumers will be happy to prove their own identities to mobile devices, in return for the kind of services that will be on offer. The technology will also be used to give assess to people’s work systems.
This is a part of the ongoing move by companies to blend together personal and work systems known as ‘consumerisation‘.
In response, criminals will use technology to try to trap complete authenticated identities at the key moment - when they are being broadcast to the service to which they provide access.
However, according to Kittler trying to trap a digital biometric identity will prove difficult – as the biometric can be encrypted on mobile devices before it is sent.
Currently, as well as password generators, there are a number of other technological innovations that can help with some of the concerns raised by passwords.
One technique is where a grid is generated on the device screen and people remember a pattern on that grid. When the grid appears on the screen it creates random numbers in the grid pattern; the person using the system punches these numbers into their keyboard. In this system a different series of numbers appears each time.
Piers Wilson, a security manager of Risk Assurance for the accountancy company PwC, says that though technology is important, people are still key to the effective protection of data.
‘To get security right you have to use a combination of people, a process i.e. a policy, technology and physical access to a building – you have to achieve a balance of all of those things,’ he says.
Creating a password policy
1. Establish the value of your data to your company by carrying out an information audit. What is the value of your company’s data and reputation?
2. Your audit should also establish the value of your data outside of the company.
3. Implement a security strategy that involves a policy on the use of passwords.
4. Research available affordable technology and systems that can help your staff use passwords to access your data effectively and securely.
5. If you want to use a password strategy then use a combination of letters, numbers and punctuation, and require that passwords be changed frequently.
6. Do not use your date of birth, wife or partner’s name, maiden names, children’s names or common names.
7. Use different passwords for all of the accounts that you possess.
8. If you must use the same password then use a ‘stub’ – part of the password that is altered for each account but do not use consecutive numbers or any logical sequence.
9. If you have trouble remembering passwords then use the internet to find password storage devices that can help you, but remember that this is only as strong as the password that allows you access to the software, and that it is a good idea to change this password regularly.
10. Some mobile phones such as Blackberry also offer encrypted password storage systems. But again remember that any device you use will have to be password protected so again it will be necessary to password protect the device itself and vary the password to be truly secure.
11. One method for remembering passwords is to take a line from a poem or a book and then use the first letters of each word, or any other sequence depending on preference, and add a sequence of numbers and punctuation you can remember. This method allows you retrieve the password if you forget it.
12. In the event of an employee leaving your employment immediately remove all password access to any work systems. Passwords that allow remote access must be deleted instantly.