Passwords Are Broken. What Now?
On Saturday, The New York Times was brave enough to say what we all know: Passwords are inherently insecure. And this insecurity can't be blamed on the users who write passwords down and post them on their computer monitors, use one of the common passwords, or don't change their passwords often enough. Even if users followed these basic rules, passwords still wouldn't work because the log-on procedure itself is risky due to phishing, keystroke logging, and other security threats.
While the article suggests using an alternative that depends on cryptography instead of mnemonics, currently it looks like there isn't a good solution for this problem. (For those of you who are suggesting biometrics, fingerprints aren't as secure as you would think: Burn Notice taught me that a copy of the fingerprint is left on the scanner and can be pulled off with Play-Doh to be used again.)
So since it looks like it will be a while until there is an accepted replacement for passwords, I've pulled together some resources to help you educate your users about password security.
- SafePasswd will generate strong, but easy-to-remember passwords.
- Montana Legal Services Association's Password Creation Guidelines provides guidelines for users on how to and how not to create strong passwords.
- Strong Passwords and Password Security from Microsoft provides some information about strong passwords, how to create them, and even some security tips on passwords and Windows XP. - K
