Perhaps unsurprisingly this process of allowing one group of individuals access to something, while denying other groups (i.e., everyone else) creates a dichotomy between ease of access and level of protection. The easier you make it for the "good" group to access the protected asset, the less likely it is that you will be able to deny access to every member of the "bad" group (hence the "satisfactory" part in the original definition). If you want to deny access to 100% of everyone in the "bad" group, you are correspondingly going to make it quite difficult for members of the "good" group to gain access. This give and take between the "control" and "access" of controlled access to assets is pretty much true at all levels of security. What this implies is that security is not a destination, it is a multi-layered synthesis of processes and principals all working (hopefully) together for the common goal of protecting assets. For the curious, here is a glossary of security related terms.
With this baseline introduction to security in place, I wish to focus on the security subtopic commonly known as "passwords" (alternative labels include "passphrase," "passcode," "keyphrase", "keys" and several other pseudonyms) In this case the asset protected is typically a digital asset, and the password is the key to the protection mechanism; in such a system passwords are the first (and, unfortunately, often the only) line of defense. A privileged user is authenticated to access the asset (given permission) by virtue of knowing the password. Other users are denied access by virtue of not knowing or not being able to guess the password. Note that access to the protected asset might be obtained through other means, but this would require a detailed discussion of protection mechanisms that is not really suitable here.
Attributes of Effective Passwords
Already we can gain quite a bit of insight into the strengths and weakness of a system that uses passwords to authenticate users.
Passwords are more effective when...
- they are more complicated (random) because this makes them harder to guess.
- what each one protects is limited in scope because fewer assets protected by the password means less assets are at risk if a password attack is successful.
- fewer people know a password because there is less risk of exposure, accidental or deliberate. For critically important passwords this has the disadvantage that an attacker can choose a narrower focus of attack - one reason the U.S. President wanders around with Secret Service bodyguards all the time, a good thing since he holds the primary key to the USA nuclear arsenal.
- they are spread across multiple people, because this reduces the risk that one individual can or will abuse their asset privileges if all are required to be present when it is used.
- provided to the authentication mechanism in such a fashion as to prevent (or at least make difficult) external observation.
- they are not written down, a corollary of the above that helps to make observation of the password difficult.
- they are not logged, recorded or stored by the authentication system (not even failed attempts), another corollary to help make observing a password difficult. Passwords are commonly stored using a "one-way" encryption system, this reduces the ability of an attacker to use the encrypted form for purposes of determining a password.
- they are changed often, this is because constantly changing passwords prevents an attacker from continuing to use a known password for an unlimited time in the future.
Not all of these strengths and weaknesses we just discussed are readily apparent to the normal computer user. It says something about human nature that, on systems that allow users to select their own passwords with no guidance or restrictions on the chosen value, the most common password chosen is "123456" with "password" and "stupid" close runner-ups. This inherent weakness in choosing good passwords is one reason many companies have a "password policy" in place for their computer users.
If you're unfamiliar with the term "password policy" then you should understand that they are a set of guidelines primarily enforced at the computer itself, the use of which is intended to encourage users to create relatively secure passwords. Most modern computer systems contain software that helps IT manage the kinds of passwords that are acceptable and how often the user must change their password. The fact that the computer will do most of the enforcement grunt work makes corporate management of passwords a snap. As an example, here is a password policy that your IT group may enforce:
Password Policy for XYZ Corp:
- Must be changed every 90 days.
- Must have between 8 and 20 characters.
- Must use both lower and UPPER case letters.
- Must use at least two digits or symbols.
- Cannot be a password you have used in the past.
If you are a corporation (especially a public corp), the officers of the company actually have a legal obligation to protect the corporate assets, failure to do so (or rather failure to make reasonable attempts at doing so) means that you, the officer, or you, the corporation, can loose all sorts of rights and/or open yourself to all sorts of trouble (often in the form of lawyers serving papers, undesirable stock action or both - multiplexed). A public corporation who fails to reasonably protect its assets is just asking for a shareholder's lawsuit. This protection requirement extends to and includes corporate digital assets (a phrase that really means "bits stored on some hard drive somewhere (and, by the way, the latter had better be owned or controlled by the company, or a serious looking man (woman) in a pinstripe suit (dress) is going to be dispatched somewhere as soon as we know where we're going to send him (her))") and in certain situations may have even more egregious requirements than physical assets. Just examine the actions of the RIAA "on behalf of music artists" for the last decade or two if you don't believe me (what a great business idea, sue your customers).
Strangely, one of the best and easiest ways to show your shareholders (or the judge) that you are taking seriously the protection of your digital assets is to have your IT department put into place a password policy similar to the one above. There is more than this, of course, but a question similar to, "Does your company have a password policy?" will invariably be one of the first questions asked; followed closely by, "What actions does your company take to enforce such a policy?"
Of course, under your newly minted policy the most likely password in the above system may now be "Pa$$w0rd" but at least you tried (besides, the first and last policy guidelines listed above will at least ensure that the obvious alternatives to common passwords will be flushed out of the system fairly quickly).
An IT security professional will need to be careful, however. Aggressive policies can actually work against you. Forcing users to frequently create new passwords increases your chance that they will act against you in other ways (i.e., writing down the password on a sticky note they then tack to the bottom of their screen). The best password systems make as much of this automated as possible.
To reiterate: from the user's perspective, the best system should be an easy to remember password and be trivial to use. From the security perspective: the ideal password is a randomly generated password that may be used exactly once, a different password is required for each successive authentication for an asset. Such a system exists, but the cost is fairly high. Thankfully, competitors are starting to offer lower priced alternatives.
If you are a private citizen you don't have the same legal responsibility to protect personal assets (i.e., someone can steal from you and may be prosecuted even if you didn't lock your front door), and such assets are not normally protected by passwords anyway. This doesn't mean that you should't pay attention to these password issues. You still need to take reasonable action (if only for self interest) in selecting passwords for your bank accounts, utility account, mortgage accounts and any internet retailers you frequent.
An exercise for the reader: are password policies the cause for such idiomatic trash as 1337 $934|< (elite speak)?