Electronic Password Policies 1

Chip, PINs, Passwords & Security Codes

Passwords

 

 

Page 1

Introduction

4-sight Consulting specialises in safety-related systems for the energy, process, transport and utility industries. Modern safety systems often involve computers. Sometimes problems arise not because a system is unsafe as designed, but because the system is insecure. The system was originally safe, but it is no longer safe because it is insecure. The insecurity may arise because people find they cannot understand or work with the contradictory security policies of the many organisations with which they have to deal. This article discusses one aspect of security (passwords) that many people find difficult and suggests an alternative approach.

Information Security Policies

The Information Security (IS) policies of different companies require individual users of internet systems and telephone call centres to:

  • never reveal their account password to anyone over the phone even when requested (for example, many of the high street banks)
  • always reveal their account password over the phone in order to identify themselves to a telephone call centre when requested (for example, One.tel)
  • not to reveal the whole password but identify themselves when requested by quoting one of the first four letters or the last letter from an account password (for example, the telephone bank first direct)

At the same time “Chip and PIN” is being introduced to the UK and there is further confusion about the difference between PINs and Passwords.

Other companies require individual users of their computer systems to:

  • identify themselves by using a combination of username and password
  • use a long and uncommon word as a password
  • not to tell anyone else their password(s)
  • change their password(s) at regular intervals
  • not to use the same password on different systems
  • remember their password(s) without writing them down.

This article discusses why these conflicting policies are unworkable and confusing and what might be done instead.

Fundamental flaw in IS policies

Some of the causes of confusion are that:

  • there is no apparent distinction between individual tasks and group tasks
  • companies ignore the traditional and historical use of passwords
  • companies do not realise the confusion caused by contradictory and unworkable policies

In addition, the fundamental flaw is that most policies fail to distinguish between

  1. is the password to allow access? or
  2. is the password to confirm the identity of a specific individual?

1. Traditional use of passwords

Consider a human sentry on a gate. He may be told to allow entry to other humans when either

  1. a stranger has the correct password; or
  2. the person is not initially recognised but says the correct password and on closer inspection is then also recognised as a friend or colleague.
  3. the person is immediately recognised as a friend or colleague and may or may not need to say a password.

There are two separate activities in this example: identifying an individual and accepting that the particular individual is authorised to have access. Robust security needs to distinguish clearly between these two activities. The sentry example above fails to answer the question “Is that friend and colleague currently on the list for approved access?” and also fails to advise what to do if none of the three options above occur.

The use of code words and passwords is recorded in the Bible. The military have used passwords for centuries. Passwords have always meant what the word says – a “pass word” allows one person to pass another unobstructed provided they use the correct code word. In other words, traditionally passwords have always been shared between at least two people and quoted on request, so many people still think of a password as something shared between friends or colleagues. The simplest analogy is that a password is a key that will unlock access. There should be a known number of copies of the key. Only those on the list of key holders hold the keys. Who makes copies of keys, issues and retrieves keys, updates the list of key holders, and so on all need to be considered, but will not be discussed here.

Using “password” to mean both personal identification as well as a key to shared information adds to the general misunderstanding and confusion about IS.

2. Group Tasks

Servicing enquiries@company.com will inevitably require more than one person to ensure continuity during holidays and sickness. Many other tasks also require information sharing within a known group of people. Two simple security mechanisms are:

  1. access is granted to a defined group of people, so identification of an individual is required for every access
  2. access is granted to key holders, so identification of an individual is required only for issuing the key

These mechanisms need to be understood and distinguished. Again, using the same word, password, to mean both personal identification as well as a key to shared information adds to the general misunderstanding and confusion about IS.

For buying techie books, science fiction, computer hardware or the latest gadgets: visit The Voidspace Amazon Store.

Hosted by Webfaction

Return to Top

Page rendered with rest2web the Site Builder

Last edited Sun Oct 01 20:13:34 2006.

Counter...
Voidspace: Cyberpunk, Technology, Fiction and More

IronPython in ActionIronPython in Action

Search this Site:
 
Web Site
Contact Me
Python Books and Gadgets
Blogads

Follow me on:

Twitter

Del.icio.us

Shared Feeds

Hosting for an agile web