advertising
Link to jump to start of content The Seattle Times Company Jobs Autos Homes Rentals NWsource Classifieds seattletimes.com
The Seattle Times Business & Technology
Traffic | Weather | Your account Movies | Restaurants | Today's events

News, analysis and perspectives from the
technology team at The Seattle Times.
Have a news tip? Follow the links below to e-mail us.

All blogs and discussions:

Go

February 7, 2007

RSA: What's your secret password?

Posted by Benjamin J. Romano at 11:49 AM

SAN FRANCISCO -- Look around your computer. Chances are good there's a yellow sticky note somewhere with a password on it, especially if it's a long, complex password with numbers and letters and maybe symbols -- the kind that's typically assumed to be harder to crack or guess.

But that sticky note represents a greater risk to your company than the code-cracking attack that the long passwords are designed to defeat in the first place, said Dan Houser, principal architect for security at Huntington National Bank.

"The longer, more complex you make a password, the more likely it is the user will write it down," he said to an audience of information security professionals at the RSA Conference here.

A password breach is more likely to occur through disclosure ''with someone looking at the sticky note or 'shoulder surfing' as the user enters the password'' than through code cracking, he said.

Therein lies the rub.

He said 10 percent of users will write down their passwords no matter what.

"That doesn't mean they're sticking them on their forehead. They might be actually putting them in a locked file cabinet, but 10 percent of them are probably violating policy at any given moment and writing down their passwords," he said.

Another 45 percent never write them down. And the remaining 45 percent are more likely to write them down as they grow in complexity.

"Controls to prevent password cracking and guessing have an inverse relationship [to] disclosure, which is why there's a problem here," he said. "It's in the wet ware" --- as in software, hardware and you, the wet ware.

Houser's solution: simple, six-character passwords that the user can remember without writing down. He suggests acronyms instead of common words or sports teams that can be quickly found by dictionary programs.

Still, would-be password thieves lurk in every corner.

In a keynote speech yesterday, RSA executive Art Coviello complemented Bill Gates for his performance in leading the industry on this issue during a nationally televised interview last week.

Coviello showed a clip from Gates' appearance on "The Daily Show with Jon Stewart" in which Stewart asked Gates point-blank for his password.

"You don't have to answer that," Stewart said. "Is it Gates?"

Then he snooped some more.

"Do you have pets? ... Did you ever have a pet when you were young? ... What was the pet's name?"


Share:    Digg     Newsvine

Tricia Duryee
Tricia Duryee
E-mail|Bio


Angel Gonzalez
Angel Gonzalez
E-mail|Bio


Kristi Heim
Kristi Heim
E-mail|Bio


Benjamin J. Romano
Benjamin J. Romano
E-mail|Bio


Mark Watanabe
Mark
Watanabe

E-mail|Bio

Marketplace

advertising

advertising