Thursday, May 29, 2014

Increased Password Strength Might Actually Weaken Security Countermeasures

I recently read with admiration a tech article written by a security expert being open and honest about computer, network and online account security access passwords. Even though she understands the importance of strong security, she wrote of the woes of trying to remember different passwords to her many accounts. Finally exasperated, she gave up change and now maintains a policy of a single password for all accounts.

This works for her and can work you as well, unless you access defense contractor, Department of Defense networks or DoD or other government maintained websites and systems such as Defense Security Services’ JPAS, training, SPeD certification, databases, or the applications offered by many other agencies. Where most could get away with using a single password on multiple systems, each of these DoD systems require unique password structures.  One single password will not work.

For example, in most of my online business profiles for email, social media, banking and etc, I can use a common password consisting of letters and maybe a number for good measure. In many cases, the sites help you determine the strength of your password so that you can adjust to however you feel comfortable. You might get a red, amber or green indication with green representing the most protection, but in most cases any password is acceptable if you are comfortable with the results.

In these cases, you can use words or numbers that you are familiar with such as: carman311, cookiemom214, or securitydave2. You may never forget your password as they are not too difficult. However, such familiarity and comfort also create greater vulnerabilities with the level ease required for breaking your code.

Now bring on websites like the ones mentioned above. The company I work for requires uppercase, lowercase, numbers and symbols. DoD sites require the same, as do some classified and unclassified networks. So, simple, adopt a more complicated version of an already used password such as Jollyrancher now might be jollyrancher55672%%^&@ if you add in your address and associated symbols. Then use them for all the multiple applications and you are home free, right?

Not so fast. Where upper and lowercase, numbers and symbols are required; each application may require different combinations. For example one website requires that the passwords DO NOT have repeating characters. Yikes, this eliminates many words such as: jollyrancher, mollymoocow, muddywaters, suggestive, message, eliminate, tellingword, and many more words. Now we now have to have at least two passwords to access all of our accounts. Ok, I can do that.

Not really. So, maybe you have the words with non repeating letters, but now you have to make sure your number combinations and symbols  don’t repeat as well. So, there goes Jollyrancher55672%%^&@. Now you have to vary your password with simple nuances that might be hard to remember. So, maybe I spell it JOlyrancher54672%$^&@ and hope you remember those simple nuances. This might at least require at least three passwords (don’t forget the ones you already have for banking and social networks; add those to the count as well).

I can go on about some password requirements that do not allow the use of certain special characters, but I think you get the point now. The password protection requirements are designed specifically for you not to use familiar terms and NOT to use the same password for multiple applications. We can all agree that that makes for great security, but is it even practical or fair? Heck, try accessing a secure website using those complicated policies from a smartphone where the special characters are no longer above the corresponding numbers…sheesh!

So, the passwords are more secure now as probability of guessing the passwords has just plummeted. But now there is a new risk introduced. I CAN’T REMEMBER MY PASSWORD SO NOW I HAVE TO WRITE IT DOWN.
Ok, I know security and IT folks hate to admit this, but it actually happens. In spite of the hours, days and years of security training, people are still writing down passwords. 

Sure, you get the up and down nod from employees understanding the importance of protecting passwords, but that’s just acknowledgement. The reality is, many of us can’t remember multiple complicated assemblies of letters, numbers and symbols. The industry has given us no choice.
There is hope. In the past few years the Common Access Card and similar “who am I” technology has made passwords almost obsolete. All you need is to register the credentials and you can gain access. There are still some restrictions such as those websites, internal networks, and other places or situations where such credentials aren’t accepted or implemented. Until then, we just have to make do.

Can we eliminate the password requirement? There are other alternatives such as password generator, answering security questions, or even a card with pre-loaded credentials that can be used in combination with a pin number to provide similar great security. These only require a single pin code to access a world of information. No need to remember complicated and multiple formulas.

The lesson here is, if it’s in your control, don’t make security too hard to work with. Protecting sensitive and personal data is very important and in most cases contractual requirement. However, the methods are not always proscribed. This leaves room for alternative ways to protect information that is both easy for the user and safe for the information being protected. The relationship between user and information provides better protection. 

For more security tips, keep following this blog or sign up for our newsletter. We also have great security training and books at

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: