Electronic Password Policies 2

Chip, PINs, Passwords & Security Codes


Page 2

Fundamental flaw in IS policies (continued)

3. Threat Analysis

A blanket policy on passwords does not take account of the many different threats and does not appear to recognise that some information is more valuable than other information. This reduces the credibility of the IS policy with the users.

For example, if a security breach were to disable or degrade a safety-related system then there could be risk of injury or even death. A different security breach might mean the need to repeat an hour’s work. People understand that these risks are very different and recognise additional levels or layers of security are appropriate.

Another issue is the method of access. A confidential remote mail server may be accessed thousands of times a day by different computers and needs a password that is hard to crack. A password of only four digits will not meet this need. Users of ATMs who input a PIN manually at a keyboard would find it difficult to achieve a similarly large number of trial entries before the loss of the bank or credit card is discovered. Thus a four digit PIN is widely used. Similarly quoting all or individual letters of a password to a telephone call centre does not permit thousands of attempts without creating suspicion. Thus a simple password is acceptable and is usually only one layer of the multi-layer security.

4. Human memories

A nervous house owner has an impressive door lock. There are only two keys and the copies can be made in only one place and with his approval. Unfortunately he does not have a good memory, so he keeps one of the keys under the front door mat in case he loses his other key!

A familiar IS statement is “A random password function that forms a nonsense string of letters, numbers and symbols generates the perfect password.” This is indeed nonsense unless you write down the string and the system to which it refers, but this would be in violation of the stated IS policy and is similar to keeping the key under the front door mat. Even if you think you can manage to remember the string without writing it down, what happens when you return from two weeks holiday?

Individuals will usually belong to more than one group for information sharing and require access to many different systems. Unless “single sign-on” permits access to all the required systems then individuals will be expected to remember many different passwords. Published research demonstrates that the stated policy does not work (Anne Adams et al “Making Passwords Secure and Usable” Proc. HCI 1997) because it does not consider human factors. For example users have stated:

“Constantly changing passwords results in very simple choices which are easy to guess or break within seconds of using ‘Cracker’ (a password dictionary checker). Hence there is no security.”

“Basically because I was forced into changing it every month I had to write it down.”

We need to change the IS policy and to educate users about the content of passwords. For example, password generators are available that produce pass-phrases such as “verb?noun?” or “adjective?noun?” where the ? is a non-alpha character, for example a number or a punctuation mark. Such pass-phrases are easier to remember and will not be found by ‘Cracker’ or most hackers. Recommendation 2 below also addresses this issue.

An alternative approach

1. Shared Passwords

The alternative approach suggested here is to confine the use of passwords to part of the layered security procedures used to unlock access to significant information and to use a different mechanism to confirm the identity of an individual. This would keep passwords for both the traditional and the obvious meaning of the word. Each shared password would usually be a shared pass-phrase, confined to a specific group and changed by mutual agreement.

2. Security Codes or Questions

If companies need to use another separate layer of security to permit access then the letters and/or numbers should be not be called a password but something else, for example, a “security code” or a “security question”. Users could then be asked to keep the security code/question confidential between themselves and the service provider and reveal only selected letters or answers when requested. This would avoid confusion with Passwords and PINs.

3. Personal Identification

There is no difficulty in finding a separate mechanism for personal identification and two possible approaches are suggested here.

3.1 Personal Passwords

Some organisations have tackled this by distinguishing “shared passwords” and “personal passwords”. Personal passwords are used in combination with a “username” for personal identification. The personal password would usually be a pass-phrase, confidential to the individual and changed when compromised and also changed at some reasonable interval of time.

3.2 PINs

Another option is Personal Identification Numbers or PINs. Before dismissing this approach as simplistic, consider the many advantages of PINs.

  1. Not only are PINs in general use, but also unlike the word “password” PINs say what they mean – they are for “Personal Identification”.
  2. The most common current use of PINs is with bank / credit cards and ATMs or to open electronic door locks within secure buildings. People already understand that the identification process requires a combination of a card and a PIN.
  3. People know they can change a PIN to something easy to remember.
  4. After a PIN is compromised (for example, someone is watching the keyboard) then it can easily be changed.
  5. When a card is lost or a PIN forgotten there are widely used procedures already in place to provide replacements.
  6. The same bank account may have more than one user but should have a separate card and PIN for each user. People know that the account is shared but the people are different.
  7. There is no objection to an individual using the same PIN on many different systems. It always identifies the same individual and is confidential to that individual.

For users the mechanism proposed here is be a combination of either “username” and PIN for personal identification, or else a combination of identity card and PIN. Whether additional security is required using a “shared password” as a key to permit access to certain information would then depend upon the threats and the circumstances. For example, for use of a system available only within a secure building identification of the individual might be sufficient. The access would be equivalent to what is left in an unlocked desk. More significant information (for example personnel salaries) might require a shared password to obtain access.

As with the personal password, the PIN would usually be a pass-phrase, confidential to the individual and changed when compromised and also changed at some reasonable interval of time.

Page 1 - Page 3

Hosted by Webfaction

Return to Top

Page rendered with rest2web the Site Builder

Last edited Sun Oct 01 20:13:30 2006.