Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Password creation policies are the enemy of secure passphrases say IT experts

May 2012 by

Commenting on reports that a security developer has concluded that password-creation policies are the enemy of secure passwords, SecurEnvoy says that the fundamental issue is that conventional ID/password security is now coming to the end of the line as far as security is concerned.

The reasons for this, says Steve Watts, co-founder of the tokenless two-factor authentication (2FA) specialist, are actually more complex that Cameron Morris, the security developer notes.

"This isn’t to say that Cameron is wrong - far from it - it’s just that the reasons why passwords are coming to the end of the line in today’s online environment are multi-faceted, with company password policies being only one issue of concern," he said.

"One of the other major issues we have observed is that people have great difficulty remembering more complex passwords than the six or eight alphabetic strings that most Internet users rely on. Because of this, they fall back on an eight digit passphrase that is usually a family member’s name or place of birth, and which - unfortunately - are all too easy to hack using brute force password attacks," he added.

The problem with corporate password policies, the SecurEnvoy co-founder went on to say, is that they often force users to create complex passwords with a mixture of letters and numbers, with at least one of the letters being upper case.

The nett result of this, he says, is that users end up with a relatively complex passphrase that is difficult to remember and often results in the employee storing the passphrase on their mobile phone as an `aide memoir’ or - perhaps worse - writing it on a yellow sticky note which is then placed on their desktop monitor.

This, he adds, is the real issue that Cameron has picked up on: making passwords too complex means that the average user takes an easy option to help them remember it when they want to log on.

Watts explained that it is this experience that has pushed many organisations to go down the hardware authentication token path, forcing employees to tote the hardware token with them - perhaps on their key ring or in their purse.

A far easier option, he notes, is to go down the tokenless 2FA security route, using an employee’s mobile phone as the medium for authentication. As well as being more convenient for staff than toting around a hardware token, tokenless 2FA can also be completely reconfigured by the IT helpdesk in real time, rather than having to wait for a member of staff to be sent a new hardware token.

“We welcome news that Cameron Morris has identified a shortcoming of password policies that focus only on passphrase composition, rather than actual strength. The Passfault software - which he has developed - highlights how easy it is to crack a typical password. Tokenless 2FA is, in our opinion, a far better option in terms of security and flexibility," he added.


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts