The InfoSec Blog

IAM – Basics – Policy

Posted by Anton Aylward

If there's one thing that upsets me when I see articles and posting to forums about policy, its mention of a "Password Policy". I have to step away from the keyboard, go outside and take some deep breaths to calm down.

I get upset because policy is important and developing -- and more importantly communicating -- policy has been an important part of my career and the professional service I offer. Policies need to be easy to understand and follow and need to be based on business needs.

If you begin with a list of policies, you end up adapting the the reality of your business - the operations - to the list. You are creating a false sense of security. You need to address what you need to control, and that is Identity and Access.

Lets face it, passwords, as Rick Smith points out in his book "Authentication", are not only awkward, they are passée - even Microsoft thinks so. More to the point, using passwords can be bad for your financial health.

They should be used with care and not as a default.

And they should most certainly NOT be entombed in a corporate policy statement.

Passwords Suck!

Posted by Anton Aylward

Indeed they do.
Its beginning to look like the point I've been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you're securing something.

For those new here, I've long recommended Rick Smith's excellent book on this matter:
"Authentication: From Passwords to Public Keys" ISBN 0201615991
See his home page at

Grandpa Rob Slade reviewed this, rather more kindly than some books he's reviewed.
The author of the article recommends passphrases - a passphrase is easy too remember.
In "Password Expiration Considered Harmful" Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.

See also 'The Strong password dilemma' and not least of all this cartoon.

I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, "But that was in another country and besides, the wench is dead"). I fat finger one time in four.

Some of it is practice. If you make people change their passphrases or passwords they won't flow from their fingers so readily.

My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I've used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don't even have to 'say' the passphrase in my mind so even a telepath couldn't "sniff" it.

Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).

My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I'm getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.

If you ask me, its crazy, unproductive and expensive.

To debunk the myth that frequent password rotation is a good idea, see Gene Spafford's blog entry on this.  But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.

Tell me, now often do you change the lock on your front door?

Reblog this post [with Zemanta]

Are these “Top 10” dumb things or not?

Posted by Anton Aylward

At "10 dumb things users do that can mess up their computers" Debra Littlejohn Shinder brings up some interesting common failings. Lets look at her list, because I have a different take.

#1: Plug into the wall without surge protection
#2: Surf the Internet without a firewall
#3: Neglect to run or update antivirus and anti-spyware programs
#4: Install and uninstall lots of programs, especially betas
#5: Keep disks full and fragmented
#6: Open all attachments
#7: Click on everything
#8: Share and share alike
#9: Pick the wrong passwords
#10: Ignore the need for a backup and recovery plan

Well, they seem interesting, but ...
The big "but" gets back to one of my favourite phrases:

Context Is Everything

Very simply, in my own context most of this is meaningless. It may well be in yours as well.