Welcome to the SecAware blog

I spy with my beady eye ...

21 Oct 2010

Complex passwords - easy peasy

Thanks to someone on CISSPforum, here's a gift idea for busy, well-connected friends on your holiday list - a password directory:
"There are user IDs and passwords to remember everywhere you turn. There are codes and passwords for a variety of Web sites, bank accounts, frequent traveler programs and voicemail systems. It's tough to keep track of them all! Our Password Directory can help. It's alphabetically organized to log the user name, password or a password hint for any number of applications. It's a thoughtful gift for the busy, well-connected friends on your holiday list."  
Unbelievable!  Well, actually it's entirely credible.  Worryingly, there probably is a market for products like this, at least among the clueless buying for the security unaware.

I'm puzzled as to the evident lack of general interest in or uptake of secure 'password vault' programs which neatly solve the most awkward and annoying aspects of the password issue.   Not only do password vaults store passwords securely (the best using strong encryption such as AES, and insisting on a good user password to generate the encryption key needed to unlock the vault) and recall them automatically when the user returns to a password-protected web page, they also offer to generate ridiculously long, complex passwords for those enlightened websites that don't hamstring the user with stupid rules such as 8 characters maximum.  Speaking personally, there's NO WAY I could remember my current crop of ~150 strong passwords without a vault.  To be honest, I'd struggle to recall even a handful, forcing me to either use short/weak passwords, or to re-use a few passwords on multiple sites, both of which significantly weaken the value of passwords as authentication mechanisms. 

It's not as if there's any shortage of password vault programs Out There ... but before you choose one, just remember that you are entrusting it with the keys to your virtual identity, so be extremely careful to check out the supplier's trustworthiness and product's security. 

And if that's too hard for you, perhaps that Password Directory is just up your street.


No comments:

Post a Comment