Building a better password
Is your password really as secure as you think it is? Davey Winder investigates.
In the end, what makes implementing a successful secure password management strategy is actually having a strategy in the first place insists Kevin Bocek, director at IronKey. "While it may seem simple" Bocek tells us "it's most important to have a password management strategy and policy of some sort that's actually implemented and enforced even though it's not perfect".
At the smaller end of the enterprise scale, this is often still not yet accomplished. But with the Information Commissioner's Office placing the spotlight on data breaches, many organisations of all sizes have started encrypting mobile data.
"Without being able to enforce and report on encryption use, including the type and quality of passwords used for unlocking encryption keys" Bocek warns "escaping a fine that can reach 500,000 could provide difficult".
Which is where a Continuous Controls Monitoring (CCM) solution can be useful, suggests Richard Hunt.
"CCM provides users with real-time status assurances for all of their compliance control points" he explains "a rule can be configured that triggers an automatic and regular review of password complexity to ensure that user passwords contain enough variation in terms of numbers and upper and lowercase letters". Any exceptions will be automatically flagged in the control output and then reviewed by the IT Admin for relevant action.
Secure or not secure?
So what makes a truly secure password? Jason Hart, an ex-ethical hacker and now vice president of security at CRYPTOCard has a very straight response to the question: nothing makes a password truly secure!
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"Passwords are the softest security target" Hart warns "and until people and organisations start adopting strong authentication in the form of, for instance, two-factor authentication this problem won't go away".
Sadly, of course, he is right. Which is why many enterprises are now combining something you have (such as a smartcard or USB stick with a one time password function) with something you know (a PIN) to secure their networks instead.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.