Good Security Still Starts with Solid Passwords


It was widely reported last week that French President Nicolas Sarkozy's bank account was hacked and a small amount of money stolen by criminals who managed to get his user name and password.


Creating proper passwords and the overall theme of password security often are overlooked because talking about them is pretty boring. But it is one of the many small building blocks that, bundled together, determine the network or organization's level of security. Wi-Fi Planet offers a good password primer, which starts with the premise that most people don't use adequate passwords because they are difficult to remember. If they do create a strong password, it often is written down, which is just as dangerous. Among the writer's suggestions are to not use the same password -- strong or weak -- for all online activities. It is, however, a good idea to come up with a strong base password and change it slightly for each use. An ideal password is a mix of upper and lower case letters, symbols and numbers. Using something meaningful to the user reduced to an acronym is a good step, the writer says.


Luckily, there are many tools available aimed at allowing people to handle their password chores easily -- and without making themselves vulnerable. This site, for instance, claims to create highly secure passwords of various lengths each time the visitor refreshes.


This PC World Canada story highlights five tools. The approaches -- RoboForm; Passpack; Password Hash; OpenID and ID Vault -- work in different ways. Passpack, for instance, lets users store their passwords online, while OpenID is a service that checks the veracity of a user ID and tells the online venue that the user is OK -- or not. There clearly are many ways in which to attack the password challenge. Each has its own strengths and weaknesses, which can range from being technically inefficient to being too hard to use.


Foxmarks version 2.5 is a new Firefox add-on that enables synchronization of passwords at the Foxmarks servers. Web Worker Daily notes that it is important to question the way in which any system stores passwords in this way. There are two reasons that this particular approach passes the security test. The user creates a personal identification number (PIN) that must be used to access the password. The writer points out that the PIN is never sent to Foxmarks, so it is extraordinarily difficult to see how it would be compromised. The writer adds that password data is transported between the servers and requesting computer using the 256-bit Advanced Encryption Standard (AES).


It is vital for individuals and organizations to use best practices in password creation and use. It is repeatedly proven that the biggest security failures are caused by the simplest -- not most sophisticated -- approaches.