Electronic Password Policies 1

Chip, PINs, Passwords & Security Codes


Page 1


4-sight Consulting specialises in safety-related systems for the energy, process, transport and utility industries. Modern safety systems often involve computers. Sometimes problems arise not because a system is unsafe as designed, but because the system is insecure. The system was originally safe, but it is no longer safe because it is insecure. The insecurity may arise because people find they cannot understand or work with the contradictory security policies of the many organisations with which they have to deal. This article discusses one aspect of security (passwords) that many people find difficult and suggests an alternative approach.

Information Security Policies

The Information Security (IS) policies of different companies require individual users of internet systems and telephone call centres to:

At the same time “Chip and PIN” is being introduced to the UK and there is further confusion about the difference between PINs and Passwords.

Other companies require individual users of their computer systems to:

This article discusses why these conflicting policies are unworkable and confusing and what might be done instead.

Fundamental flaw in IS policies

Some of the causes of confusion are that:

In addition, the fundamental flaw is that most policies fail to distinguish between

  1. is the password to allow access? or
  2. is the password to confirm the identity of a specific individual?

1. Traditional use of passwords

Consider a human sentry on a gate. He may be told to allow entry to other humans when either

  1. a stranger has the correct password; or
  2. the person is not initially recognised but says the correct password and on closer inspection is then also recognised as a friend or colleague.
  3. the person is immediately recognised as a friend or colleague and may or may not need to say a password.

There are two separate activities in this example: identifying an individual and accepting that the particular individual is authorised to have access. Robust security needs to distinguish clearly between these two activities. The sentry example above fails to answer the question “Is that friend and colleague currently on the list for approved access?” and also fails to advise what to do if none of the three options above occur.

The use of code words and passwords is recorded in the Bible. The military have used passwords for centuries. Passwords have always meant what the word says – a “pass word” allows one person to pass another unobstructed provided they use the correct code word. In other words, traditionally passwords have always been shared between at least two people and quoted on request, so many people still think of a password as something shared between friends or colleagues. The simplest analogy is that a password is a key that will unlock access. There should be a known number of copies of the key. Only those on the list of key holders hold the keys. Who makes copies of keys, issues and retrieves keys, updates the list of key holders, and so on all need to be considered, but will not be discussed here.

Using “password” to mean both personal identification as well as a key to shared information adds to the general misunderstanding and confusion about IS.

2. Group Tasks

Servicing enquiries@company.com will inevitably require more than one person to ensure continuity during holidays and sickness. Many other tasks also require information sharing within a known group of people. Two simple security mechanisms are:

  1. access is granted to a defined group of people, so identification of an individual is required for every access
  2. access is granted to key holders, so identification of an individual is required only for issuing the key

These mechanisms need to be understood and distinguished. Again, using the same word, password, to mean both personal identification as well as a key to shared information adds to the general misunderstanding and confusion about IS.

Index - Page 2

Hosted by Webfaction

Return to Top

Page rendered with rest2web the Site Builder

Last edited Sun Oct 01 20:13:34 2006.