Printer Friendly

The key to data security.


OVER 30 YEARS HAVE PASSED since the business world turned to the computer for data entry, storage, and retrieval. Security has evolved from simply locking the office door at night to state-of-the-art software security systems and hardware enhancements. Manufacturers hail their products to be superior to all others. Standard features may include one-way encryption, Data Encryption Standard algorithm secrecy, and violation detection reporting. What these manufacturers cannot provide protection against, however, is the individual user. No matter how safe the system security package, no matter how stringent the guarantee of confidentiality - no manufacturer can determine how safe a customer's employees are going to be with their passwords.

Passwords are the crux of a system's security package. To log onto a system, the user must supply a valid log-on identification and password. Although the identifications rarely change, the password must be changed periodically to give the system some semblance of integrity. The average life of a password is 30 days, while some companies allow longer periods between changes, and few have no time constraints at all. It is this time span that is supposed to keep intruders from breaking the security of the system.

Security personnel tell system users that passwords are to be kept secret and that certain words are not to be used as passwords. However, people are apt to choose passwords that relate directly to themselves or to their lifestyles. It is only logical to think of something that is easy to remember rather than some nonword combination of characters. However, it is easy enough to ask system users some simple questions about their lives and what they enjoy in their off-hours and then deduce their passwords. Ask the following question of the people who access the computer system:

* What is your spouse's name?

* What are your children's names?

* What is your family pet, and what is its name?

* What are your grandchildren's names?

* What is your nickname?

* What is your favorite sport or hobby? These six questions may net several possibilities for passwords.

Married women tend to use their husband's name as a password first, usually followed by children's names or pets' names. Interestingly, men usually use their children's names first, then their pets' names, and then their wives' names. Single people's passwords may be a bit more difficult but just as predictible. Women usually start with their partner's name, then their pets' names, and lastly they may turn to their siblings' names. Single men prefer to use terms from their sports or hobbies but will use their partner's name.

Many companies use a password history file to prevent a user from repeating his or her password and thus feel they have a fail-safe system. However, if the company uses a password history file of this sort, most users will employ a set rotation of passwords. For instance, if the password generation is two - meaning two other passwords must be used before the original will again be accepted - users will have three set passwords. Because of the password history file, the passwords will of course be used in a set order. If the passwords are known and must be changed every 30 days, anyone can determine what password will be used in which month.

Some computer users think they do not fall into the categories mentioned above and use passwords such as ABCDEFG, ASDFGHJ, XXXXXXX, or 1234567 instead. These people have fallen into a pattern as well; they just do not believe anyone will figure it out.

One other method of finding a person's password is usually the easiest to accomplish - simply asking him or her for it. Without even thinking, most users will give their password over the telephone because they have suspended themselves from the system. Sometimes it is enough to enter a work cubical, open the center desk drawer, and find the piece of paper with the user's log-on identification and password on it.

If the security industry is to ensure the integrity of computer systems, security awareness programs must be supplemented with tips on creating passwords that will better protect both stored data and passwords themselves. It is essential to devise methods that enable users to create memorable passwords without falling into set patterns of words.

Most experts recommend the following about passwords:

* Never use real words or names.

* Never use a password with consecutive letters - for example, BOOK.

* Never use a password that can be related directly to a specific person.

* Never make a password less than six characters long.

* Never give your password to anyone else. These are tips that, while logical and practical, may intimidate some users. Perhaps a compromise would be to have system users practice the following:

* Do not use names of friends or relatives. Use names of people in the news - but no favorite performers!

* Do not repeat the same letters in a word, even if the password is a real word.

* Do not make passwords less than seven characters long.

* Do not write passwords down or give them to anyone.

* Do not use a set pattern of rotating passwords.

Security awareness by employees regarding password integrity is vital. They must realize that not only data they have worked on but also system data files could be in jeopardy. Security awareness programs must begin to address this common problem to make all users rethink their habits about memory jogging. No system, no matter how secure, can withstand the attack of the individual users and their common password procedures.

About the Author . . . Darlene M. Tester is the security system administrator for HEMAR Service Corporation of America in St. Paul, MN. She is a member of ASIS.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:passwords
Author:Tester, Darlene M.
Publication:Security Management
Date:Sep 1, 1989
Previous Article:Layer your LAN.
Next Article:Crisis? Call the ad hocracy.

Related Articles
Who goes there?
Choose the right weapon.
For your eyes only.
User identity: the key to safe authentication.
Computer gatekeepers: password selection may be inadequate protection.
Trust the chip advantage: software-enhanced trusted PC platform solves many of today's security challenges.
Keeping secrets: how to protect your computer form snoops and spies.
The good, the bad and the ugly of protecting data in a retail environment--Part 2.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters