Recent articles have suggested that password strength in some situations is not important. For instance, a recent Network World article asserted that the weakest and most well known password “123456” could have a place in an overall password strategy.
Another area where weak passwords are sometimes advocated is in combination with a two factor authentication (2FA) scheme. Two factor authentication combines two different pieces of information in order to establish access for a user. Typically, the two pieces come from two of the categories: something the user knows, something the user has, and something the user is. In most common, widely used schemes, the two factors are something the user knows (either a password or a PIN) and something the user has (a magnetic card, a secure token, or a specific device).
Adding a second factor certainly increases the security of a system. One could argue that you could decrease the first factor to offset that gain if the original system was secure enough. Taken to the extreme, if the second factor was stronger than the first, you could make the first trivially easy and still be better off. In that case, you would essentially be using a single factor system, just with the stronger factor.
Those are the keys to determining how much relaxation of one factor you can accommodate by adding a second factor: how strong is the second factor, how resilient is the system, and how independent are the two factors? How important is increasing the overall security of the system?
The classic two factor authentication system - a bank card and associated PIN works well. Both factors are strong. The card requires theft of a physical item to compromise it. The PIN (although only a 4-6 digit code) is usually strong because there is a lack of automated methodologies for attacking the PIN — it requires manually entering codes over and over at a banking machine. Furthermore, limitations on the number of wrong entries in a time period prevent effective brute forcing of the PIN. Systems are typically resilient — because there are not other attack modes beyond actual use of the card.
However, the card system can be compromised by poor choices. For instance, selecting trivial PINs like 1234, 0000, or other easily determined information makes it so that theft of the card is the only real attack required. Trivial PINs turn the two factor system in one factor, where possession of the card is the only block. Similarly, writing the PIN on the card so that the two factors are no longer independent (by compromising the card, you gain the PIN) also negates the benefits of the two factor system.
The final question is how important is increasing the overall security of the system. At Ohanae, we feel that passwords should always be strong, secure, and unique. If you need a password, then you want the best — whether it’s to secure less important websites, or as one piece of a multi-factor authentication scheme. Password compromise inevitably leads to information that can make secondary identity attacks easier and more successful. Your identity, accounts, and data integrity rest on preventing all attacks, and a weak password can be the proverbial weakest link that unravels the strongest chain of protection.
Ohanae’s cloud privacy protection solution gives users on all their devices the ability to quickly and easily use strong, secure, unique passwords on each website and application they use.
No comments:
Post a Comment