Home Security Are you doing passwords properly?

It's time to review your password rules, according to Ping Identity senior technical architect Sarah Squire.

Password best practices have changed, said Squire. The current guidance is that systems should allow users to specify passwords that are as long as they want, with no requirement to use or avoid particular groups of characters (eg, "between eight and 14 characters, with at least one upper case letter and at least one digit" is out).

The reason is that this maximises the set of possible passwords – setting a maximum and minimum length along with character mandates reduces the space that an attacker needs to search.

This relatively new guidance is not widely known or used in the private sector, she observed.

Squire also advises against the use of "secret questions" for account recovery. Thanks to social media and other sources of information, the answers can often be determined by attackers. (And there's much the same re-use problem as there is with passwords – if a system has been breached, the name of your first pet or whatever can no longer be considered a secret.)

Furthermore, it can be hard to remember exactly how you entered a particular answer (Fido or fido?), and deliberately false answers are even harder to remember, especially as the first time you're asked the secret question could be five years after you created the account.

She favours email-based account recovery, but thinks email providers should have systems in place to warn organisations when the address they use to contact a customer has been compromised.

Squire also noted that a growing number of people are using identity services such as a Google login rather than having a separate account with each site or service. "Some people are afraid of that... I actually think it is a good thing" because those providers do a good job of security, usually better than smaller organisations manage."

But you do need to use a strong password and two-factor authentication, she warned.

Looking ahead, the number of times you need to enter your password is likely to drop significantly, suggested Squire.

She expects "behavioural biometrics" to become the norm within three to five years. The idea is to identify individuals by the way they hold their phone, for example, or the hours they work. Other characteristics that have been proposed include gait (walking pattern) and typing rhythms and speeds.

Passwords could be requested if the user tries to do something unusual. Buying a low-cost item online and having it shipped to your home address wouldn't be unusual, but having an expensive purchase shipped to an address in another country probably is – at least until the system has worked out that each year you send a generous birthday present to a particular relative who lives overseas.

This type of approach probably won't work for shared devices, especially in a business context, she conceded.


With 50+ Speakers, 300+ senior data and analytics executives, over 3 exciting days you will indulge in all things data and analytics before leaving with strategic takeaways that will catapult you ahead on your journey

· CDAO Sydney is designed to bring together senior executives in data and analytics from progressive organisations
· Improve operations and services
· Future proof your organisation in this rapidly changing technological landscape
· CDAO Sydney 2-4 April 2019
· Don’t miss out! Register Today!
· Want to find out more? Download the Agenda



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.


Popular News




Sponsored News