Monday 26 April 2010

Passwords A Thing Of The Past!

"When will we as homo sapiens learn from our ever changing and evolving world?"


Recently there seem to be a significant amount of coverage regarding password security and how best to secure your password as well as what makes a good password. This is confusing as Robert Hensing's blog back in 2004 seems to have missed its audience if we are still writing about passwords.


Most of the blogs and articles tend to focus around the same issue with how hackers are finding easier ways to get our passwords or how best to select a good and robust password. My take on this is all about the use of common sense. After reading several publications, it got me thinking (which seem to hurt substantially) where did we go wrong?


Just like the 8-track we had in the cars of the past, the time for the "password" is at an end as a result we should adapt and quickly. Research proves that passwords are a weak form of securing anything, for authentication and also they are not very robust at keeping the 'baddies' out. This brings us to the next phase of passwords, pass-phrases, and how they have evolved. Now we all know from Security 101 there is no silver bullet (or was it there is no spoon?) as a result I am not insinuating moving from passwords to pass-phrases will resolve all your problems as well as stop attacks to crack them.


The idea is to make it difficult for the 'baddies' and to slow them down. With PC's becoming increasingly powerful and quick at processing, I believe there will be another evolution where pass-phrases might need to be adapted just like passwords at present.


Relating this to the analogy of the days of the 8-track evolving into Cassettes/Tapes then CD's and mp3's, pass-phrases seem the natural progression for passwords. As some of the more technical publications point out, the use of freely available tools which incorporate rainbow tables makes password cracking simpler and quicker than it used to be. More specifically, newly cracked passwords are then added to the table making this a very worthy adversary in the fight against securing systems.


So what are the merits of a pass-phrase compared to a password? HINT: look for the difference in the names and your answer would not be far off. One clearly states it is a word whilst the other a phrase. Psychologically, the method of "chunking information" works favourably with regards to recollection (Study carried out by George A. Miller 1956) as a result, the use of pass-phrases will be as simple to reproduce as a password would.


So knowing about pass-phrases, why not implement this and protect yourself for the future? Should you wish to make it a little complicated like most security professionals do (Security 102 - "Be very paranoid"), how about picking a memorable pass-phrase and applying some operand techniques such as character replacement?


I know we are a long way from getting everyone to consider using a pass-phrase as opposed to a password at the moment, however educating users to migrate to this seems a more plausible avenue. If only all data owners and executives would agree to changes within policies to effect and enforce this within their organisations, this might have prevented some of the simpler incidents we might have read about.


Passwords you served us well and "thank you for all the fish" now Pass-phrase Anyone?