Or vice versa?
By silicon.com
Published: 16 May 2006 17:35 GMT
It's incredible to think that in 2006 we are still struggling with the issue of managing secure passwords. But judging by the responses of several heads of IT silicon.com contacted this week, it's clear that we are.
At the heart of the issue is a far greater problem which dogs much of our internet and IT security: usability and security, at their extremes, are mutually exclusive. An open door is far easier to walk through than a locked door.
In simple terms the most secure system will almost inevitably be the least usable because of the added layers of complexity which security often demands.
And yet when we try to force that greater complexity upon the end user, the reaction is an undermining of the security because of a lack of usability.
If we try to make users reset passwords regularly, if we ask them to mix up random text with numbers as well as upper case and lower case letters when setting them, if we insist they do not repeat passwords or change only one or two characters each time, then the reaction is fairly predictable.
Many will start writing down their passwords. The complexity of the system means shortcuts and workarounds appear.
It's true of all security issues, not just passwords. And the solution is risk management. Establishing exactly how secure is secure enough sounds controversial when people are often unwilling to deal with less than 100 per cent security as their target but the issue - and the tough questions it brings up - must be dealt with.
For instance, if somebody has to remember eight passwords in order to do their job then are all of those passwords protecting critical data? Should some of them be replaced by more robust security? Should others be dropped altogether? Making that employee remember eight passwords is encouraging them to write down eight passwords, or use one for all, or use something blindingly obvious. Inevitably that undermines the security of all those passwords.
In the long term, passwords will be replaced or combined with biometrics or other technologies. They are far from perfect but our understanding of how they should be managed is also often lagging.
Even if we don't have to put up with them for long, we all need to get it right... for now.
Leader: Is usability the enemy of security?
Analysis: Security, compliance and CRM in one Analysis: Does ID management invade workers' privacy? Analysis: The way to security and compliance Analysis: Protecting yourself from an inside job Banks aiming to alleviate online banking fears Q&A: CA CEO John Swainson
Cheat Sheet: Two-factor authenticationBack to ID Management Special Report
Gordon Brown sets up ID fraud taskforce
Banking chief to head up ID management panel
Police to develop national video ID system
Facial recognition will automatically identify images of wanted criminals
Ciggie giant signs up for ID management
Gallaher ramps up, from offices to tobacco fields
Password Hell: Top tips
We could probably all be more secure but can you be secure enough?
Password Hell (Part 2): Companies must get it right... now
... even if that means ditching them altogether, say industry experts
Stories from around the web...
The profits in privacy CIO.com
Avoiding an identity crisis SC Magazine
Realising the business value of identity management IT Analysis
Hidden challenges of federated identity Infoworld
Getting a good read on the biometrics market Security Sales & Integration
Make your voice heard
silicon.com and the Bathwick Group have created an opportunity for business and IT executives to share their experience with each other and thus enhance their knowledge of the IT marketplace.
Join our research panel, and you'll be asked to participate in short surveys - and then will be privy to the answers of all your colleagues, as we send you tailored versions of the results.
Extras include complementary passes to silicon.com events and survey prizes such as iPods. Plus, there are the obvious networking opportunities with your fellow panellists.
For more about the Research Panel and how to join, click here
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
RSS Feeds