Password hint: Think whether yours is good enough

Recent website security scares have brought home the importance of a sensible approach to passwords, at both the personal and corporate levels. Tony Hallett reports on what the industry is saying - and whether passwords are enough.

Tricky things, passwords. They are our most common way of safeguarding digitally stored information over shared media but they are fraught with contradictions. Most obviously, the safer they look - in terms of length and mix of characters - the harder they often are to remember, making them dangerous when end users write them down. Meanwhile employers are increasingly being told passwords - meant to make things safer - are not just frequently insecure but costly to support and legally contentious.

Consider help desk costs. There is a general consensus that resetting forgotten passwords costs companies around £10-30 a go and can account for between 30 and 60 per cent of helpdesk calls.

"And this will increase with stronger password rules," says Rudolph Huber, VP identity management at ASG.

Typically most enterprises with an established policy on digital security require their staff to change passwords - per client or per application - every 30, 60 or 90 days. This adds to those help desk enquiries but is seen as best practice, as is preventing the use of similar passwords or ones that have been used before.

One member of a marketing department at a company that preferred not to be named told silicon.com: "I used to have three passwords that I'd rotate but they don't allow that anymore."

In general, besides changing them regularly, tips include:

- Never use words that can be found in a dictionary - even in combinations - or common proper nouns.
- Make them at least eight characters long and substitute numbers for letters in some cases, for example a 5 for an S.
- Never use passwords across different systems or websites.
- Don't assume someone else won't know you and be able to guess the name of your next door neighbour's cat, for example.

Roy Hills, technical director at security testing specialist NTA Monitor, adds: "Where unlimited password length is available use a sentence - either a phrase known to you or a film, song or book title."

In a similar vein, experts encourage the use of mnemonics. Gunter Ollmann, EMEA manager of security assessment services for ISS, says: "A trick is to think of a longer memorable pass phrase such as 'Oh what a lovely bunch of coconuts!' and only use the first letter of each word, namely Owalboc." Taking on board some of the earlier pointers might leave you with Ow4lb0c.

Such concrete advice, however, often falls on deaf ears, though a recent survey showed the UK is far from the worst off in Europe. A user name and password survey conducted by Rainbow Technologies this summer of 2,500 IT admins, management and security professionals showed 50.5 per cent of users writing down their passwords - with a shocking 5.5 per cent writing down every one they have - but UK users more likely to be asked to mix letters and numbers. The figure stood at 51 per cent versus just 28 per cent in France.

The same study found that, perhaps as a result of less stringent policies, those in Germany and in France have to have their passwords reset by IT departments less often than in the UK. The proportion of end users in companies making that embarrassing call was 22 and 30 per cent respectively over there as opposed to 44 per cent in the UK. But this brings us back to the issue of 'strong' passwords.

David Williamson, UK and Ireland director of sales at Ubizen, says: "It is a complete myth that security is improved forcing users to change passwords monthly and using a 12 multi-character format, including numeric and upper and lower cases, which are complex and unmemorable."

What's the answer then? Biometrics? Research from Frost and Sullivan estimates that market will reach $2.05bn by 2006, up from a paltry $93.4m last year. However, fingerprint readers, iris scanners and the like are some way from being ubiquitous. The answers that some are touting revolve around single-use or single sign-on software and appliances.

UK start-up Swivel backs the generation of 10-digit one-off passwords conveyed to users with PIN protection, meaning key-logging software in an internet café, for example, wouldn't be a danger. RSA Security, one of the biggest names in security, also offers its SecureID token for passcodes that are good for 60 seconds.

Similarly, Aspace Solutions has developed an in-house system for Cheshire Building Society based on a secure audit log. Entries are time-stamped, digitally signed and chained to adjacent entries using encryption based on a hardware appliance from nCipher.

It sounds complex and at a pure technological level it is. However, there remain some other obvious things companies and individuals can do.

To avoid a stream of confusing and easily forgettable codes work out when you need 'low-', 'medium-' or high-security' passwords, maybe corresponding to webmail log-ins, office systems or online banking.

Revealing passwords to anyone is obviously a no-no. "Avoid divulging passwords in just the same way as not walking around telling people your [ATM] PIN or the code to your burglar alarm. Put simply - don't tell anyone," says James Warren, GM at Bullet Online, a web services company serving marketing and PR sectors.

Legally speaking, there are considerations. Simon Halberstam, partner and head of ecommerce law at Sprecher Grier Halberstam LLP and Weblaw, points out employee contract confidentiality provisions should cover the disciplinary consequences of breaching security or internet use policies. Legally binding arrangements should also be made for freelancers and temporary workers, who are often a corporate weak point.

Joanne Brook, partner and part of the technology and media department at Manches Solicitors, adds that when an employee leaves they mustn't be able to take passwords with them. When this happens they can either lock others out or go on accessing systems externally.

For those who will continue using written passwords - and let's face it, that means most of us - there are straightforward tips and ways of going about our digital business. For companies concerned about fraud, access to mission-critical systems and other areas, it is clear the humble password won't always be enough.

And even now, there is little reason to be caught out.

What are your tips for dealing with passwords? Got any good mnemonics or tactics? Share them (without giving too much away!) by posting a Reader Comment below.