Page 54 - Cyber Defense eMagazine - October 2017
P. 54

Common Sense Passwords

               Disclaimer: As with all security operations, always act in accordance with the highest
               standard of legality and ethics, making sure you have the proper authorization for any
               security exercises in which you engage.

               What problem are passwords meant to solve?

               Having parented three sons during the youth sports era of the “participation trophy”, I
               have often thought about how this philosophy pervades technology. For those who have
               somehow missed this phenomenon, many youth sports leagues have erased the notion
               of  winning,  losing,  and  even  keeping  score,  awarding  every  player  on  every  team  a
               trophy  at  the  end  of  the  season.  It  is  easy  to  dismiss  it  as  a  Saturday  morning
               amusement, but is it any different back in the technological world on Monday?

               Tech initiatives are very often driven by the perception that doing something, anything,
               and merely participating is equivalent to forward progress. It isn’t, and maybe there’s no
               better example of this in the security field than password management. The mantra “use
               strong passwords” is as burned into everyone’s brains as is the Nationwide Insurance
               commercial  jingle  that  one  of  my  sons  occasionally  breaks  into  for  no  reason  while
               playing a game on his iPhone. But does anyone know what having a “strong password”
               actually means?

               Nearly  every  web  site  password  creation  page  defines  a  strong  password  differently.
               Many sites show a password-strength progress bar that turns from red-to-green as you
               type theoretically more complex characters. But try the same password on multiple web
               sites, and what is considered a strong password on one site may be considered weak
               on another. Requirements also vary tremendously: lengths vary, some require varying
               characters be used: lowercase, uppercase, numbers, symbols, or all of them, or only
               some of them, or some of them but prohibiting others. In fact, I encountered just this
               week a major credit-card processor which required that passwords be an exact length –
               and shockingly worse, that length was 12 characters.

               Does anyone even remember what problem we are trying to solve with passwords? The
               way passwords are commonly managed demonstrates a lack of understanding about
               how passwords can be cracked, and more importantly, it demonstrates a loss of focus
               on the actual problem at hand. The purpose of a  password is to accurately verify the
               identity of a user. Restated: a password must act as a unique symbol which only the
               proper  user  can  produce.  Therefore,  a  truly  strong  password  is  one  which  provides
               maximum resistance to anyone attempting to crack it.









                    54   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   49   50   51   52   53   54   55   56   57   58   59