Administrative Security: Passwords
Everyone’s got a few, or twenty, and we’ve all forgotten one from time to time. But passwords are more and more critical to both our business and our personal security. Still using your birthday as a password? Get real! You’re a threat to yourself and others.
I’m sure at one time or another everyone’s grandfather has lamented about how things were back in the good old days when “we didn’t need to lock our doors.” Well, back in the “good old days,” my work PC did not store sensitive customer data, and my bank account couldn’t be emptied out remotely. “Way back when,” the computer was just a snazzy typewriter, and stored nothing more exciting than word processing documents (which are not very exciting). And, my PC was not connected in any way to my company’s sensitive data. As such, there was not a pressing need for me to use a password to lock my computer. But now that I am a "knowledge worker," my PC can be used to march virtually into my company’s data center. Now my PC is a door to a bounty of sensitive and valuable data, and there are maladjusted and mal-intentioned people all around the planet intent on breaking down that door, so I need to lock it. This is not your grandfather’s 1950’s bungalow.
Passwords are the basic method of “logical,” or electronic, access control, today and for the foreseeable future. Clearly, biometric controls are growing in type and accuracy, and as a result are being deployed in more situations. For example, today computer stores sell smart card readers and keyboards and laptops which include a fingerprint reader. While these technologies enhance security, they cannot guarantee it. In fact, some schools of thought hold that as long as access to sensitive information is granted when a user voluntarily “gives up” something, like a password, that information will never be safe, since users can be fooled. To a large extent, I agree with that opinion. For that reason, user education must include—and demonstrate—typical scam techniques such as phishing and social engineering, discussed in their own sections.
Whether biometric technologies will ever completely supplant passwords remains to be seen. After all, smart cards, and even fingers, can be stolen. But until mind-reading biometric scanners go on the (black) market, a password can remain safe…as long as it is not unwittingly handed over or written down, otherwise known as the sticky-note method. (At the time of this writing several research groups around the world have demonstrated the early phases of mind-reading software, so don’t rule this out entirely. Remember, that which seems like magic today is just called science tomorrow.)
|