Beobachten
- Pressemitteilung BoxID 509464
- Newsroom
- Media Monitor
Password creation policies are the enemy of secure passphrases say IT experts
(PresseBox) (Parkview, )
Commenting on reports that a security developer has concluded that password-creation policies are the enemy of secure passwords, SecurEnvoy says that the fundamental issue is that conventional ID/password security is now coming to the end of the line as far as security is concerned.
The reasons for this, says Steve Watts, co-founder of the tokenless two-factor authentication (2FA) specialist, are actually more complex that Cameron Morris, the security developer notes.
"This isn't to say that Cameron is wrong - far from it - it's just that the reasons why passwords are coming to the end of the line in today's online environment are multi-faceted, with company password policies being only one issue of concern," he said.
"One of the other major issues we have observed is that people have great difficulty remembering more complex passwords than the six or eight alphabetic strings that most Internet users rely on. Because of this, they fall back on an eight digit passphrase that is usually a family member's name or place of birth, and which - unfortunately - are all too easy to hack using brute force password attacks," he added.
The problem with corporate password policies, the SecurEnvoy co-founder went on to say, is that they often force users to create complex passwords with a mixture of letters and numbers, with at least one of the letters being upper case.
The nett result of this, he says, is that users end up with a relatively complex passphrase that is difficult to remember and often results in the employee storing the passphrase on their mobile phone as an 'aide memoir' or - perhaps worse - writing it on a yellow sticky note which is then placed on their desktop monitor.
This, he adds, is the real issue that Cameron has picked up on: making passwords too complex means that the average user takes an easy option to help them remember it when they want to log on.
Watts explained that it is this experience that has pushed many organisations to go down the hardware authentication token path, forcing employees to tote the hardware token with them - perhaps on their key ring or in their purse.
A far easier option, he notes, is to go down the tokenless 2FA security route, using an employee's mobile phone as the medium for authentication. As well as being more convenient for staff than toting around a hardware token, tokenless 2FA can also be completely reconfigured by the IT helpdesk in real time, rather than having to wait for a member of staff to be sent a new hardware token.
"We welcome news that Cameron Morris has identified a shortcoming of password policies that focus only on passphrase composition, rather than actual strength. The Passfault software - which he has developed - highlights how easy it is to crack a typical password. Tokenless 2FA is, in our opinion, a far better option in terms of security and flexibility," he added.
For more on SecurEnvoy: http://www.securenvoy.com
The reasons for this, says Steve Watts, co-founder of the tokenless two-factor authentication (2FA) specialist, are actually more complex that Cameron Morris, the security developer notes.
"This isn't to say that Cameron is wrong - far from it - it's just that the reasons why passwords are coming to the end of the line in today's online environment are multi-faceted, with company password policies being only one issue of concern," he said.
"One of the other major issues we have observed is that people have great difficulty remembering more complex passwords than the six or eight alphabetic strings that most Internet users rely on. Because of this, they fall back on an eight digit passphrase that is usually a family member's name or place of birth, and which - unfortunately - are all too easy to hack using brute force password attacks," he added.
The problem with corporate password policies, the SecurEnvoy co-founder went on to say, is that they often force users to create complex passwords with a mixture of letters and numbers, with at least one of the letters being upper case.
The nett result of this, he says, is that users end up with a relatively complex passphrase that is difficult to remember and often results in the employee storing the passphrase on their mobile phone as an 'aide memoir' or - perhaps worse - writing it on a yellow sticky note which is then placed on their desktop monitor.
This, he adds, is the real issue that Cameron has picked up on: making passwords too complex means that the average user takes an easy option to help them remember it when they want to log on.
Watts explained that it is this experience that has pushed many organisations to go down the hardware authentication token path, forcing employees to tote the hardware token with them - perhaps on their key ring or in their purse.
A far easier option, he notes, is to go down the tokenless 2FA security route, using an employee's mobile phone as the medium for authentication. As well as being more convenient for staff than toting around a hardware token, tokenless 2FA can also be completely reconfigured by the IT helpdesk in real time, rather than having to wait for a member of staff to be sent a new hardware token.
"We welcome news that Cameron Morris has identified a shortcoming of password policies that focus only on passphrase composition, rather than actual strength. The Passfault software - which he has developed - highlights how easy it is to crack a typical password. Tokenless 2FA is, in our opinion, a far better option in terms of security and flexibility," he added.
For more on SecurEnvoy: http://www.securenvoy.com
Diese Pressemitteilungen könnten Sie auch interessieren
|
intimus® Degaussers listed in NATO Catalogue for Information Security Products (NIAPC)
, Sicherheit, MARTIN YALE INTERNATIONAL GmbH
The NATO Information Assurance Catalogue (NIAPC) provides NATO nations, and NATO civil and military bodies with a catalogue of Information Assurance products for...
|
Grüne Adressleiste zum Sommerpreis: PSW senkt Preise für EV SSL-Zertifikate auf Rekordniveau
, Sicherheit, PSW GROUP GmbH & Co. KG
Pünktlich vor dem Start der Sommersaison läutet die PSW GROUP eine neue Preisrunde bei den erweitert validierten SSL-Zertifikaten ein. Zu bisher auf dem deutschen...
|
|
intimus® Degausser im NATO Katalog für Produkte zur Informationssicherung (NIAPC)
, Sicherheit, MARTIN YALE INTERNATIONAL GmbH
Der NATO Information Assurance Produktkatalog (NIAPC) bietet NATO-Staaten, sowie zivilen und militärischen Einrichtungen der NATO eine Übersicht von Produkten, um...
