Sunday, June 30, 2013

Why A More Complex Password Policy Is Not Always Better

Just about anybody who uses the internet knows that passwords are a necessary evil. And the advent of more and more complex password policies has made them even more evil. The problem is that you want the proper amount of security while still being able to remember the passwords so that you can access your accounts and information. Too simple of a password and an attacker can crack or brute force it. Too complex of a password and the user will not be able to remember it. Many organizations have tried to offer solutions to the problem, but none have succeeded thus far. Why not? Will anybody ever come up with a better solution? Well as of now the answers to these questions are unknown.

The reason is that different sites have different requirements for their passwords. Nowadays it is not uncommon for password policies to require upper case as well as lower case letters, along with characters such as numbers and symbols, with a minimum of 8 characters. Some sites won't let you use a dictionary word, others make you change your password every few months and you can't repeat the passwords that you have previously used. You can see why organizations require complex passwords, but it is causing less convenience for end users. This eventually leads to less security in the end, as people are more likely to write down their passwords and store them in clear text or even physical format that can easily be copied or stolen. Another common effect is that people will forget their password and have to have it sent to them via email. This is an absolute no-no because emails are unencrypted and you never know where your data is going through to reach its destination. Some places require what is called a pass phrase, which is basically a very long password that is essentially a phrase or sentence. Not only is this harder to remember but it is much less convenient because it takes much longer to enter and more prone to errors while typing as people can't see what it is they are typing. Biometrics are starting to replace or supplement passwords, pass phrases, pin numbers, and other security measures in recent years. But biometrics aren't the answer for most situations. Especially web sites, as most computers and portable devices don't have the necessary hardware. Some

While there is no magical silver bullet that will make everything totally secure and provide the ease of use that end users desire, the best security is achieved through multiple levels. The best way to get the most security is to combine different security methods together, such as passwords, biometrics, time based tokens, key cards, etc. These make up the security triad: something you have, something you are, and something you know. This makes it much harder for somebody to gain unauthorized access. As previously mentioned, this is hard to implement on the web so what can organizations do to increase security on the web? One way is to store passwords and phrases on your device in an encrypted database that is sand-boxed from other programs and processes and can only be accessed by the user once he or she has input the master password or phrase along with a biometric element. Multiple biometric methods can be used at once to increase security. Time based tokens or key cards are less likely to be used for things like websites. Biometric scans can take the form or iris scanning or fingerprint reading that requires separate dedicated sensors on each device to be used. More and more phones and computers have biometric sensors nowadays but it is still v 00uuery far from being in widespread use. But biometrics can be achieved using standard pieces of equipment such as a camera or microphone. A standard camera can be used to take a picture of your face, eyes, or other body parts which can then be analyzed and compared scientifically and mathematically to the data in the database. Microphones can be used to analyze voice patterns and phrases. Most cell phones have at least one camera, while many cell phones have a front facing camera in addition to the rear camera or a camera that can move from front to back. Many tablets have a front facing camera and more and more laptops and desktop monitors have built in cameras as well. Today pretty much all laptops and tablets have a microphone built in, and every single cell phone has a microphone. If these devices came with or had available to download apps to store and access passwords, pin codes, pass phrases and more it would make the task of storing and retrieving the passwords much much easier and convenient for users. Password storage apps are nothing new, I've known of them for decades now. But they are getting better and easier to use. Before they were cumbersome and hard to use properly and they presented a security issue. But if biometrics were used more I think it would make it more convenient and secure, essentially killing two birds with one stone. I think that biometric incorporation as well as browser integration and manufacturer adoption would increase the use of these types of password storage and retrieval apps exponentially. The problem is that you would always need to have your device on you to access the sites, even if you wanted to use another device to access the service. Companies like Google, Apple, Samsung, Microsoft, and others have tried to make user experience the same across all platforms so they could use this advantage to make password storage easier and more secure at the same time. Think about it: if you had an Android tablet and cell phone as well as a Chromebook laptop and a Google TV, or an iPhone and iPad in addition to your MacBook and iMac then you could store all your secure and complex passwords on one device and then have the encrypted information available on all devices via the cloud. And since all current iPads, iPhones, iMacs, and Macbooks have cameras and microphones, you could unlock your password list with up to two forms of biometrics and a complex password to provide much more security than before and then you would only have to remember one password or phrase. Of course if you want you could make the password simple to remember, which would make it less secure. But with the addition of biometrics, even a very simple password or pin code would be much harder to bypass or crack than a complex password alone. Imagine if you could quickly type in one password and just look at the phone and say a word or phrase and then you could unlock all your passwords at once. This way you could have secure access to all your sites, services, data, and files with much more convenience than currently available. I think more companies should offer this on their new devices. It would cause more people to buy multiple devices from one manufacturer also, so it would increase brand loyalty and sales in general. However like I said before there is no magic silver bullet. Biometrics can fail too. If you got into a fight and your face was bruised and bloody and your nose was stuffed up and made your voice sound different, the software might not recognize you. So while this may not be the perfect solution to the password problem, I think it is a step in the right direction. You could always have backups and alternate methods to gain access such as personal questions etc.