Security Market Segment LS
Tuesday, 12 June 2018 09:50

Are you doing passwords properly?


It's time to review your password rules, according to Ping Identity senior technical architect Sarah Squire.

Password best practices have changed, said Squire. The current guidance is that systems should allow users to specify passwords that are as long as they want, with no requirement to use or avoid particular groups of characters (eg, "between eight and 14 characters, with at least one upper case letter and at least one digit" is out).

The reason is that this maximises the set of possible passwords – setting a maximum and minimum length along with character mandates reduces the space that an attacker needs to search.

This relatively new guidance is not widely known or used in the private sector, she observed.

Squire also advises against the use of "secret questions" for account recovery. Thanks to social media and other sources of information, the answers can often be determined by attackers. (And there's much the same re-use problem as there is with passwords – if a system has been breached, the name of your first pet or whatever can no longer be considered a secret.)

Furthermore, it can be hard to remember exactly how you entered a particular answer (Fido or fido?), and deliberately false answers are even harder to remember, especially as the first time you're asked the secret question could be five years after you created the account.

She favours email-based account recovery, but thinks email providers should have systems in place to warn organisations when the address they use to contact a customer has been compromised.

Squire also noted that a growing number of people are using identity services such as a Google login rather than having a separate account with each site or service. "Some people are afraid of that... I actually think it is a good thing" because those providers do a good job of security, usually better than smaller organisations manage."

But you do need to use a strong password and two-factor authentication, she warned.

Looking ahead, the number of times you need to enter your password is likely to drop significantly, suggested Squire.

She expects "behavioural biometrics" to become the norm within three to five years. The idea is to identify individuals by the way they hold their phone, for example, or the hours they work. Other characteristics that have been proposed include gait (walking pattern) and typing rhythms and speeds.

Passwords could be requested if the user tries to do something unusual. Buying a low-cost item online and having it shipped to your home address wouldn't be unusual, but having an expensive purchase shipped to an address in another country probably is – at least until the system has worked out that each year you send a generous birthday present to a particular relative who lives overseas.

This type of approach probably won't work for shared devices, especially in a business context, she conceded.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments