Not again. Yes, again. Randall Stross is beating the password drum again … and again … and again. I thought that he had put the matter to rest (see my November 24, 3008 column “Passwords – Déjà Vu All Over Again” and my October 4, 2010 column “Passwords … Here We Go Again, Again”). But no! Mr. Stross is back on the password track in his Digital Domain article in the Business Section of the Sunday, June 12, 2011 New York Times, with the title “Guard That Password (and Make Sure It’s Encrypted).”
First off, all this discussion of strong passwords is nonsense. Once you get past the top couple of dozen most popular passwords, you have pretty much addressed the password guessing ploy, as I discuss in my article in The ISSA Journal of May 2005 (yes, six years ago), “The Demise of Passwords: Have Rumors Been Exaggerated?” Then, if the hacker gets access to the encrypted password file, it generally takes only a few hours to crack some of the least complex passwords … they don’t have to crack them all. Yes, it could take a week or so to crack all of them, but a few hundred thousand per million will probably do it for most thieves.
Secondly, even the most complex passwords are subject to phishing, keylogging and other methods for obtaining passwords from their source … you … whether you encrypt them or not.
So what’s the point? The point is that you can expect that your usernames and passwords will be stolen in some way or another. So you should behave according to that premise. If you transact, particularly (but not only) online, using bank accounts, payment cards, etc., you need to check items on your statements. In other cases, the best policy is not to place sensitive information into the system. Of course, this is not always possible, but it is a reasonable rule to keep in mind. And how about limiting the amount of sensitive data allowed in any one system. Does each salesperson have to keep the company’s entire customer list on his or her tablet? More than likely the answer is “no.” So don’t allow it. Prevent it from happening. Then a compromise of any single laptop will result in less exposure. It’s the old convenience vs. security argument, where convenience seems to win far more often than it should.