The Prime Factors blog means to provide useful commentary & observations on the data protection market place generally and the electronic payments space particularly. This is serious business, as the pace of large scale data breaches accelerates, nations mount cyber-attacks on one another, and risks from insiders proliferate. So many of these threats trace back to a root cause related to user credentials and, particularly, the weakness of passwords and users' habits for creating & protecting them. I ran across a novelty bit on YouTube recently that nails the issue of passwords from the perspective of the informed end user, and gave me a laugh with it.
College Humor put up a video "Rapper Who is Very Concerned with Password Security" which lightheartedly does a very good job of presenting a lot of the issues with passwords. It hits both the difficulty users have creating good passwords and the challenge we all have of actually keeping passwords private under a constant threat of video surveillance by anyone with a cell phone. Even if, like me, you prefer a bit more mud flaps in your music, these folks did a great job of making a serious point inside a fun bit.
Naked Security published a piece that bookends the video well, titled "Do We Really Need Strong Passwords." Mark Stokley makes the point in the article that passwords strong enough to resist online attacks, such as actually trying to authenticate to a live system, only need to be long and complex enough to require 10 to the sixth power (1,000,000) guesses before being cracked. With some assumptions about randomization and such, a password of a reasonable length with some chance of being remembered can be sufficient.
However, when a password becomes subject to offline attack, such as may be happening when password databases are being siphoned by hackers, the need for length and complexity escalates exponentially. A password needs to be strong enough to require 10 to the 14th power guesses to be reasonably secure -- that is, one hundred trillion. It is unlikely in the extreme that users can create or remember passwords of such complexity.
One approach for dealing with this issue is moving from a single factor authentication scheme (something you know - the password) to a two-factor authentication model (something you know - the password - and something you have). Look for more on this in some upcoming posts.
Next week, one of Prime Factors' EncryptRIGHT customers, Brian Huse of Arroweye Solutions, will be talking about the importance of using cryptographically strong keys and automating their lifecycle management. Click here for more details and to register to attend.
Also, if you've seen something fun on data security or data protection online, share it with the rest of us in the comments below.