Wednesday, August 10, 2011

Password Security - Summary

The idea of using a password is thousands of years old, but today it is most commonly associated with computer authentication. Passwords are kept secret and used to prove the identity of a user on a computer system. Today passwords are used more than any other time in history. Almost every person in the United States has a password of some sort tied to a computer system. This includes new uses such as passwords associated with mobile technology.

Overwhelmed with passwords, many people fall victim to bad habits that weaken the security the passwords were intended to provide. Users often use weak passwords because they are easier to remember and reuse passwords across multiple services. Services often fail to address these problems as well. Poor practices for password storage and site security allow malicious users to access password databases, putting all users of the service at risk.

The people trying to gain access to your passwords are better known as crackers. A cracker might use your password to access the site of origin, but often their motivation for stealing passwords is to gain access to other services. Crackers have a number of tools at their disposal to combat modern password safety measures such as rainbow tables, key loggers, man-in-the-middle attacks, and social engineering attacks such as phishing.

There are ways to protect users against many of these techniques. Services can follow best practices for storing passwords and authenticating users. Alternatives to passwords exist. Users can pick better passwords. Software can help users manage their passwords securely. Some effort is required, but users can combine both convenience and security.

Next time I will introduce passwords with some history and the concept of authentication.

Password Security - Foreword

Computer security is an important topic for me. While I don't consider myself to be an expert, and I know several people who are more committed to secure computing than I am, I still am very interested in the topic. I try to take a pragmatic approach to security where every decision I make considers risk, reward, and cost. In the last few years I have become increasingly concerned over my password security habits, and more so over the habits of others. So much so, that when the opportunity arose I chose to study it and write at length about it.

Earlier this year I took a course in technical writing. The design of the course was fairly neat. Students had to pick the topic for their final paper at the beginning of the course. Each week students had to hand in a writing assignment related to this topic. At the end of the course the final paper largely consisted of the previous assignments with some additional content to glue it together. As you can guess, my topic was password security.

I was inspired by recent high profile hacks and password leaks, as well as my recent switch to using a cloud-based password manager. My report was based largely around these events, though the final version included less examples than I originally intended. It is, to some extent, an elevator pitch to attempt to convince others that there is a real danger in insecure password practices.

Of course, a pitch that is never presented has no chance of success. To date, probably only four or five people have read my paper, and at least one of those people learned nothing from it. So, in the spirit of both my efforts to contribute to the world via my school work and to help get the word out that these practices must stop, I will be splitting up my paper into several blog posts to share with anyone who will read it. I will attempt to add value to the paper where possible, such as links to reference articles and examples that I could not fit in the original.