Wednesday, March 14, 2007

System Security and Usability

As you maybe know, the most thin bottle-neck we've ever had in a system security—is a human itself, which works in a system and performs incorrect actions which decrease security level.

90 percent hacks of super-protected systems usually appears when the user lost his password and someone else just simply enters his password to log in the system.

This topic is about how system admins can decrease level of security by using additional methods of increasing of secutiry :)

It's a fact, that human brain and memory—uniques substances, but, unfortunately, have a couple of limitations and lacks. The most famous disadvantage and problem is an ability to remember only very limited amout of numbers, for exaplme, phone and fax numbers (with no connection to letters, just long-long numbers) and too many complex passwords to access in various systems, which need to be stored in your memory!

The situation is usually complicated by system administators. You may ask: "How"? Let us explain you. The policy is very hard: at least 9 digit password, you need to change the password 1 time per 1-3 month, plus as additional nonsense—you need to have a password which won't be similar to 10 previous ones!

And now, what do we have as a result of such a cool policy? You are right: users write their passwords at stickers, monitors, at small pieces of paper and store this stuff at their wallets, etc.

We can undestand a situation when the user has 1 PNR for each 1 Credit card, but why do we need to make our life more complicated for the user which starts his day with the logging into system domain?

There are some simply rules, hope using of them allows to simplify and make everyone's life easier:

1) requirement to change user's password very often is bad. Yes, this action increases system security a little, but the negative effect (which it cause) is very huge. The system must ask uer to change the password not often than 1 time per 4-6 month. At the same time the user can decide—to do this action or not to do. So, the system just recommends and prompts.

2) if the user wants to change the password, don't prohibit to do this. As a workaround, the system can say the user that the new password is too similar to previous one.

3) there is no necessary to require including of the all possible digit-groups in one password phrase at the same time. Actually, using of numbers and letters is ussualy enough to develop a strong password.

4) and the final rule: password length. 6-8 symbols usually enough. If you want to help the user with establishing of a strong password—use real-time help tips like Google does:

AddThis Social Bookmark Button

1 comment:

Vallar said...

This is very useful blog.
Please also visit . This contains useful information for all.

Subscribe to RSS-Feed