Pages

Thursday, July 14, 2016

Strategies for better password management : Key to your online security


KWAMI AHIABENU  11 JULY 2016

Passwords are the key to your online life. They are the most popular mechanism to enable authorised access to various online resources for users.

At the basic level, this type of security is made up of two parameters; a user name and password. The user name is usually static while best security practices demand that passwords are changed periodically. 

The genesis of passwords dates back to ancient times when watchmen would require those wanting to enter an area to supply a password or catchphrase. Only persons with the correct password gained access. 

Fast forwarding to our modern days, user names and passwords (a word or a string of characters) are now required to get access to protected computer operating systems, networks, database, Internet access via Wifi, online resources, mobile phones, automated teller machines (ATMs) and cars, among others. 

Fundamentally, passwords are used to identify and distinguish between users, determine the level of authorisation or the user capabilities on digital resources. For instance, a health care worker can have a password that gives authorisation to access some patient information, a senior medical officer may have access to all patient information in their department while the hospital administrator may have access to all patient records across the entire hospital. 

This way, each user is given access to certain resources based on their level of authorisation.

Best practices in password management

Thousands of passwords are stolen each day, leading to serious problems for users, including loss of funds and inability to undertake work and destruction of sensitive data. 

A common method of stealing passwords, also called password cracking, is guessing or recovering a password from stored sites or from data transmission systems using a trial and error method (brute force) which uses application programmes to decipher encrypted data or dictionary attacks where all words in one or more dictionaries are tested for fit.

In order to protect yourself from these security risks, you must aim at creating a strong password, which is difficult to detect by both humans and computer systems, thereby preventing unauthorised access to your accounts. 

A key recommendation for achieving a strong password includes using 14 characters or longer (at a minimum eight characters - the more characters, the stronger the password); using two or more unrelated words and combining uppercase and lowercase letters. 

Since passwords are typically case sensitive, numbers and symbols (@, #, $, %, etc.) are also recommended. Using a software, which can generate obscure passwords, is the best way to go.  It is important to avoid using a single password on multiple accounts or multiple devises since this practice will make one more vulnerable. 

To stay safe, use strong passwords which cannot be guessed easily. Never write down your password but try to memorise it. 

Passwords which include your date of birth, wedding date, telephone number, pet's name, child's name, part of your name and words found in dictionary and your organisation name are all easily guessed. 

There are a number of password manager software on the market which enable you to store passwords relatively safely using an encrypted system which can be accessed using one master password.

Password policy 

Most organisations or service providers may provide their users with a password policy that sets a parameter for composition and general management of passwords, including prohibited elements (e.g. date of birth, own name, parents names, telephone number), minimum length, required categories (e.g. upper and lower case, numbers, and special characters) and frequency of changing them. Also the organisation may allocate different passwords to each system user instead of one password shared by multiple users of the system. 

Does changing your password frequently lead to better security?

Whether changing passwords frequently improves security is a moot point among experts. The main advantage of changing your password is that if an unauthorised person gained access to the old one, it will be useless, since there is a new one in place. 

According to Microsoft (https://docs.google.com/viewer?url=http://research.microsoft.              com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf) mandatory password changes cost billions in lost of productivity. 

A further argument is that in some cases, frequent password changing requirements lead to risks since some users create variations of the same simple passwords or write them down. In some circumstances changing passwords frequently is a must but for most typical users, this requirement is not necessary. 

Conclusion 

What happens to your password when you die?  Many more people are now leaving passwords in their will so that this important information is passed on when they die so that persons responsible for their estate can have access to their digital resources. 

In recent times, there is a school of thought which claims " passwords are dead" because of the availability of alternatives such as the two-factor authentication, biometric verification, one-time sign on, personal USB keys and virtual 'tokens' etc.  

Although these efforts are chalking up varying degrees of success, passwords remain the most dominant form of authentication. Therefore, it is imperative to guard your password with your life. 

 

The writer is the Executive Director of Penplusbytes.org - you can reach him on WhatsApp: 0241995737