Info/Law

Bruce Schneier links to a paper from HotSec that argues strong passwords accomplish little; instead, stronger user IDs and limits on log-in attempts are better solutions. (Implicit in this argument is that dictionary or guessing attacks are lower-priority threats than phishing or keyloggers.) And John Kelly of the Washington Post bemoans the standard yet brain-dead corporate routine of forced password changes every X days.

When my consulting team did security stuff (note technical terminology) at Lotus, we found that the biggest risk from passwords is the Post-It note: users write down their passwords because security policies mandate ones that aren’t readily remembered. Try wandering around your office environment and see how many of these you can find 1) attached to monitors, 2) under keyboards, or 3) on office desk calendars / blotters. Far too much security protocol relies on conventional wisdom and accepted practice rather than empirical data.

Filed under: Computer crime, Encryption, Internet & Society, Scholarship, Security, Software