Now You Know What I Think

19. January 2010 16:36
by nickolay_kolev

Knowing your passwords is a security breach

19. January 2010 16:36 by nickolay_kolev | 0 Comments

Current authorization requirements for almost any system, including your e-mail or computer log in, are relying on pair of 2 strings. The first one is your username and second is your password.

Your username is pretty much a publicly known value and doesn't contribute to your security very much. If you know the username of a single user in a given company, you may easily guess with 99% accuracy the usernames (and e-mails) of all of the employees in that company, if you know their names. The task of obtaining the username of somebody is made even easier by the fact that the same username is used to construct the corporative e-mail addresses.  

In other words, your security is as strong as your password. That's it. A single string is what keeps good and bad people away from your data.

Now, when you work with people, there are cases and events when you are tempted to give your password away. For example you were just leaving the building and somebody called you and asked you for a certain document or file or how to connect to your server and reboot it, because “everything is down and everybody is waiting and it is critical to do it right now”. Based on the fact how easy it is to just give away the password, instead of going back to your working station on the 11-th floor, I bet that more people than not will actually do just that – give their password to their co-workers. Of course with the intention to change it immediately when they get access to that machine again. This, as we know, doesn't happen, until your OS forces you to do that.

More “Hollywood”-like scenario includes kidnapping, running, hiding, eventual mental or physical torture, before the macho-hero gives away the password. Since he is a well-trained professional, it turns out the password is not the real one, but the one that starts a count-down process of some sort, which at the end results in eliminating of all bad guys, saving the world and getting the pretty girl.

In the real-life you give the real password, which by the way is probably the same one that you use for your e-mail account(s), bank account(s) and most of the store account(s), like Amazon, Costco and so on.

What I am trying to say is that it is easy to get in trouble just because you know your password and take a shortcut somewhere, sometime.

What do I suggest? The best solution is not to know your password. For example, I don't know my password for my desktop machine...

"But wait! How do you log in then ?!?! " - I hear you ask.

Well, I don't know the password, but I am following a pattern, I have chosen some time ago, to create my passwords and the moment I have a keyboard in front of me, I can log in by following the pattern. It is my fingers that "remember" the password. All I need to know is what is my start button.

The good think about this system is that when somebody asks me "what is your password", I honestly answer - I don't know! And I am pretty sure I'd even pass a lie detector :), because I really don't know it (again - unless there is a keyboard in front of me).

This makes it hard to just give away your password, makes it easy to have different passwords for all your web log ins (only need to remember your start buttons) and you will have more storage space left in your mind for more interesting data than boring, insecure passwords.

So, forget your passwords and live more secure lives!

Add comment