Users hate passwords. They don't like entering them to gain access to a system; they don't like inventing new ones every 30 or 60 or 90 days; and they really don't like having different passwords for different systems.
The more active and mobile the user, the more often they must enter passwords, and so their resentment grows. The more different systems they use, the more different passwords and password policies they must master, and their dislike deepens.
The banking system considers passwords the least important security measure of the debit system. When they use their card in a store or at an ATM, a user need enter only four numerals to make payments or withdraw cash.
At most, credit card transactions require only a signature, although many fraud-wary retailers in the United States also require personal identification with a photograph. (At the same time, retailers everywhere will cheerfully accept just a credit card number for an online transaction.)
On their home computers, users can easily automate every log-on. Anywhere they go, at home or on the road, authenticating themselves is quick and easy. Even their BlackBerries, stuffed with important documents and e-mails, yield to a simple key sequence.
The networked office desktop seems to require the most arbitrary kind of log-on. In a kind of reverse natural selection, passwords must now be as unlike anything in the user's real life as possible. They no longer accept any naturally memorable elements like words, names, addresses and birthdays.
Instead, they demand random collections of characters that are both difficult for hackers and hard on users. There are various schemes to ease the burden on the user, especially mnemonics that prompt a user with the first letters in the words of a phrase or song, but they still require effort from people who just want to use their computers.
Users enter their offices by holding key cards up to scanners or swiping them, so it is understandable they would want to do the same with their computers.
The worst consequence of effective but elaborate password systems is the distance they can impose between users and IT security managers, who must impose all this overhead.
In the end, most government organizations must trust their employees to safeguard the digital information in their care. But many employees are motivated to defeat their IT security if they can get away with it.
IT security wisdom holds that there are three factors of authentication: something you are, like a fingerprint or an image of the retina; something you have, like a credit card or a flash drive; and something you know, like a password or an answer to a challenge question.
Difficult passwords take a security system down to two authentication factors from three, if that is how they are configured, or from two factors down to one, because users write them down. Something they know becomes something they have.
Security sweeps almost always find scraps of paper with passwords near workstations. When they don't find passwords in desk drawers or under mousepads, it may be a sign that users have learned their lesson: not the lesson of memorizing their passwords, of course, but rather the lesson of successfully hiding the slip of paper.
Most security breaches occur because of mistakes or malfeasance by inside employees, not outside hackers. By far, technical employees carry out the greatest number of deliberate attacks against IT systems and most of these are committed after employees are let go.
This means system-level or privileged passwords must be a special concern. Privileged passwords are attached to devices or software rather than to people, and they allow many people in the IT department to become administrators for servers or networks.
Because they allow people into the heart of an organization's IT system, privileged passwords call for special handling. Often, they are less well managed than ordinary users' passwords.
Perhaps the reasoning is that ordinaryB- employees never have anything to do with them, so the perceived risk is less. But any ordinary user can enter the words 'default' or 'administrator' and 'passwords' in a search engine and gather dozens of passwords with a high probability of getting them into hardware, software and processes running on their networks.
Creating and enforcing an appropriate password policy is the single most effective measure an organization can take, but all too often it simply motivates employees to circumvent the system.
Many IT managers are more comfortable managing technology rather than people; so the sooner a technological fix to the password problem comes along, the happier they will be. Users may hate passwords, but IT security managers hate them even more.
Richard Bray is an Ottawa-based freelance journalist specializing in high technology and security. He can be contacted at rbray@itworldcanada.com
Related content:
One entity, one identity
Making Secure Channel work
The quest for security: Mary Carman, CIO Industry Canada
Uninformed employees a grave security threat
icon.
