Building blocks to security: Passwords -- the first line of defense
Passwords -- the first line of defense and the oldest form of security on Unix systems -- might seem a very tired topic. You might even think there would be nothing left to say about passwords but, even today, people are making the same basic mistakes -- choosing obvious passwords, writing passwords down, or sharing passwords -- that they were making 10 years or more ago. When even a systems administrator is likely to set a user's password to "password" whether by intention or because the user has requested it, one has to wonder how much of our new awareness of the importance of system security has impacted day-to-day operations.
Even if user password choices are much the same as they were 10 years ago, however, two dramatic changes have taken place. For one, the number of passwords and other secret codes that each of us has to remember has increased dramatically. Given online banking, online bill paying, access codes for voicemail and unlocking cell phones, secret codes for ATMs, passwords for logging in to Websites, and security codes for offices and maybe even homes, the fact is that we are reaching the point at which we simply have too many secret codes to remember without some kind of crutch, whether it be paper or something else altogether. We run the risk of being locked out of our various accounts and maybe even our homes and offices by an excess of secret codes. If we set all of our passwords the same or write them down to compensate, we introduce risks of another kind.
The second change that has occurred -- the increasing use of security tools -- is a boon to security. Usage of tools -- such as personal firewalls, VPNs, and ssh -- that limit password and data exposure has roughly paralleled the growth of telecommuting. Telecommuters can now securely log in to work systems and update program and data files without fear that they are risking their company's code or Internet presence.
Balancing these two changes -- the password explosion and the general availability of security tools -- against each other, where do we stand with respect to the vulnerability of passwords today? Before we answer this question, let's review why passwords are vulnerable in the first place.
Basic authentication
In the simplest and most common form of authentication (the process of verifying the identity of an individual), only the user's login name and password are used. The assumption is, of course, that only the intended user knows the password. Since the username is effectively public (i.e., it is almost always the user's email address as well and printed on business cards), the secrecy of the password is the only thing that stands between an imposter and the user's files.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
