Passwords

Unlike many people I know, and indeed by all accounts "the average computer user", I actually utilize a lot of different passwords. I know passwords are a pain to remember especially when not used very often, indeed until recently I could barely remember my home phone number because I really don't use it that often. In todays web world even average surfers find themselves interacting with dozens of websites and applications that require a both a username and password. Even if you can figure out a secure and memorable password there is never any guarantee that the same username you want to use can be used at any given site.

The reason I don't use a single username and password combination is that personally I really don't trust websites to manage the security of my password. Ask yourself, does every website pay full attention to the security of its network, machines and vet all of its staff for suitability to manage your password infomation? If you use the same username and password at every site then it doesn't matter what the site is, your username and password is blown once someone at that site, or some external attacker hacks their way into the system. The attacker extracts the username and passwords from the database and then they can be tried out at dozens of online banks, brokerages and online shopping websites. Eventually they will try the username and password at your bank, your brokerage and your favorite shopping store - they rest, as they say, is history.

Personally I try to maintain tiers of passwords. I have one reasonably simple password for sites that I don't really care if the account is compromised. For sites that I do trust but do care if they are hacked I have several different very secure passwords. For systems that might give access to my home network or its resources (mail accounts) I have different high security passwords, and for internal passwords I maintain medium security ones except for administrator accounts.

The big problem is I end up with reams of passwords and if its not a site I use all the time then it becomes very easy to forget them. The solution I use the freeware application PINS which securely stores all my passwords. It uses 448-bit Blowfish encoding, has password generators, keypad snopping defeat alogorithms, and does its best to minimize the time that cleartext passwords are actually in memory or on the screen. Assuming your passwords are cut-and-pasted directly into a trusted browser and then sent into an SSL connection its about the best you can do.

Yes I agree its better to just remember all your passwords, but the reality is that when forced to do so most people will end up compromising password length, complexity and hence security. Or they may even do something dumb like writing all their passwords down on a piece of paper in their wallet or in the top drawer at work. Isn't that the way it always is in the movies? Personally I'd rather take a calculated risk with the passwords being stored on my own system where I know a lot more about its security than use weak ones or a single password and put all my trust in other peoples sites.

Products like the M500 from MetaPass may be a good solution for some people but if they are carrying around all their passwords on their keychain lets hope they choose a really good master password to lock all the other passwords and that they really can memorize it. Another problem with this product is it assumes that you can get to the USB port of all machines you want to access - what if you're in a web cafe and want to do some online banking and there is no accessible USB port? That's quite often the case because an open USB port is an easy way for errant users to plug in a rogue device and hack your machine, or damage it electrically.

If you can carry your own device around with you at all times then that offers better security. I have a friend who just got a Fujitsu Lifebook with built in thumbprint scanner and very nice it is too. The thumbprint scanner seems to work well enough and is integrated with the web browser and OS so it can fill out passwords for him at the swipe of his right digit. Brilliant. But what if his thumbprint is compromised? If there was something really important on that laptop then any co-worker could use well published techniques to lift a print from a coffee mug, car door, even toilet seat... Lets face it people leave fingerprints all over the place! Once lifted the hacked can then create a replica of the print on a dummy finger that will fool the scanner because it can't tell a real fingerprint from a copy - its the print its looking at. Even systems that attempt to determine if a real finger is in use can be fooled. Now granted it takes more effort to do this than furtively look over someones shoulder while they type a password, or rifle through their files or draws looking for password clues or lists... However it is really not that hard to do and easily within the reach of an average criminal, spouse, co-worker who goes looking for the information and tries it.

Once your fingerprint is compromised then what do you do? Get a new hand grafted on? This is why I'm not particularly in favour of such bio-metric identification becoming common place in the everyday world. People will just put too much trust in it and it will become too attractive as a single point of attack. Lets face it, if a bunch of hackers on the web can lift and fake fingerprints and fool standard scanners then really should you trust your bank account, medical records, credit card info and life to such a technology? I didn't think so.

From my own point of view I would be willing to place a high degree of trust in some bio-metric system if it was associated with something that is guaranteed to be with the real me, and only with me. At the moment I've yet to hear what that is other than a secret memory that I've never shared with anyone, never written down and never spoken. And if I never share it with anyone then how is that going to be useful a password? Quite simply it isn't. Until someone finds the equivalent of public-private key based encryption built into a human then it seems that there will alsways be many, many compromises associated with security. In the mean time people can live with compromises - just think of our dependence of simple pieces of metal that are easily copied by relatively unskilled persons, easily lost, and work with a lock that is in any case also relatively easily defeated or "worked around" forcibly if necessary. Its all a matter of the right amount of security applied appropriately to meet the expected level of risk.