Electronic Password Policies 3

Chip, PINs, Passwords & Security Codes

Passwords

Page 3

An alternative approach (continued)

4. Objections

PINs are often only numeric and limited to 4 digits. This is a reasonable objection. However, there is no reason to restrict PINs in this way and PINs could be pass-phrases and as varied as current passwords. The essential point is to ensure that they are used for personal identification. The required format would depend upon the needs of the organisation. PINs could even stand for Personal Identification Nomenclature but this elaboration is hardly necessary.

Use of the same PIN on different systems would concern some people. Once the PIN is compromised it needs to be changed on each system. In practice users recognise this choice and understand the implications. A lost or stolen wallet usually contains more than one plastic card and all of them need to be cancelled. Many people use card protection companies that will cancel all the cards at once, and order replacements. With computer systems, and particularly web sites, there may be a large number of systems to which any one user needs to identify himself, and remembering them all would be daunting prospect. Recommendation 2 below addresses this issue.

When the same bank account has more than one user they may share the card and the PIN in violation of the bank’s policy. This practice is already discouraged and most people are aware that it is in violation of the banks’ policies. This miss-use of PINs is not sufficient reason for rejecting them.

Recommendations

1. Education and training

The first priority is to educate users in security issues and to train them in the specific threats to the services they use and the organisation in which they work. An understanding of security risks is essential if users are to take IS policies seriously, particularly if the system is safety-related because human life is at risk.

The education should cover integrity risks and availability risks as well as confidentiality risks, so that users appreciate the full scope of the IS needs. A key part of this training will be to explain to users about PINs, passwords and security codes/questions and how to distinguish between

  • unlocking access to information; and
  • confirming the identity of a specific individual.

Explaining this distinction will be easier if different mechanisms are used. For example,

  • shared passwords/pass-phrases to unlock access and
  • a combination of cards or usernames and personal passwords/pass-phrases or PINs/pass-phrases to identify individuals.

This would also encourage a clear distinction between

  • PINs that should never be revealed; and
  • passwords that could be revealed to a call centre.

Using PINS and passwords in this way would be consistent with the current publicity about Chip and PIN and avoid contradictory policies about passwords.

2. Multiple Passwords

If different keys are needed for different systems then the reasons must be explained to the users and support provided. For example, with physical keys companies often provide a key box with coded keys. A software equivalent is a tool such as CSPassword that allows users to store multiple passwords, pass-phrases and PINs and maintain reasonable security. CSPassword is available from

www.chrisseaton.com/software

3. Changing PINs or Passwords

Few, if any, of us change our domestic house locks every month. We change the locks when a house key has been compromised. The same logic should be applied to all pass-phrases including shared passwords, PINs and personal passwords. The upper limit on the time between changes should be explained to users and based on the perceived threats, not on an arbitrary rule.

Conclusion

Improvements in security are more likely when companies involve the users and have understandable and consistent IS policies, rather than focusing on slicker or stronger security technology. Explaining a workable IS policy including the value of pass-phrases and the distinction between

would be a contribution in the right direction and consistent with the current “Chip and PIN” promotion.

Tony Foord

27th August 2004

Page 2 - Index

Hosted by Webfaction

Return to Top

Page rendered with rest2web the Site Builder

Last edited Sun Oct 01 20:13:40 2006.