The global and independent platform for the SAP community.

Password security - A lost cause?

Hardly any security technology has accompanied us as long as the password. Over the decades, there have always been optimizations, but the basic principle has remained the same.
Raimund Genes, Trend Micro
October 1, 2016
it security header
avatar
This text has been automatically translated from German to English.

Common to all optimizations is the desire for greater safety.

At the latest with the advent of modern password crackers, it is possible to estimate very accurately how long it will take to break a password using brute force for a given password length and a fixed character set.

The idea is simple: the more complex and longer the password, the longer it takes - and the more secure the password. That's the conventional wisdom...

Unfortunately, the problem is not quite so one-dimensional. Meanwhile, several factors play a very significant role in password security.

Good?

In the meantime, a trend toward more lax password guidelines can be observed. Less in terms of password length, more in terms of the required character set.

While some dismiss this as "less security-savvy," I see something different here: After all, entering passwords with special characters on a mobile device is time-consuming. So you only ask for characters that are easy to reach on the standard smartphone keyboard.

This decision then makes more sense when you consider the situation in help desks.

Passwords that are difficult to enter on a mobile device create a massive increase in user support efforts. To counteract this, policies are sometimes relaxed...

Too well-intentioned?

Research into efficient password cracking is very advanced.

Research on the step before that - the question of how we humans "think up" passwords - has only recently begun to surface.

A recent study by the University of North Carolina concludes that changing passwords too often and being too strict is more likely to harm security than help it.

This is because users tend to continue using the "old" password with simple modifications - and, for example, only change the upper/lower case or append additional characters.

Against this background, researchers have now developed procedures that try out many frequent modifications on an existing basic password and thus achieve their goal much faster.

Good enough?

In many security training courses, it is drilled into users to use different passwords for different accesses and to separate private and business matters.

But man is a creature of habit, reality looks different.

It must be assumed that many also use the same or similar passwords for their private accounts. This suddenly makes the hack of a third-party provider or supplier relevant - especially if passwords are stolen in plain text.

This gives attackers a large base of basic passwords at their fingertips, which they can simply try out with modifications against the company's access.

All's well that ends well?

The example of passwords shows that security is not a one-dimensional technical process. Technical decisions have a direct influence on other dimensions, on people and processes.

A decision that makes the system safer from a technical point of view may have a massive impact on other dimensions, so that the safety of the overall system may suffer.

Do you really need the maximum-security-with-special-character password for all services, or isn't authentication appropriate to the level of confidentiality also "good enough"?

Or, on the other hand, doesn't tinkering with the password simply address the symptom? In certain cases, authentication via two-factor or biometrics might make sense.

Deciding how to protect which accesses depends on people, services, processes, and technical capabilities.

And this decision must ultimately be made after a risk assessment and evaluation that takes into account more than just the technical dimension.

There is no general right or wrong here - decisions must always be seen in the context of the intended use and the willingness to take risks. And this applies to passwords just as much as to other techniques and processes in IT security.

https://e3mag.com/partners/trend-micro-deutschland-gmbh/

avatar
Raimund Genes, Trend Micro

Raimund Genes was CTO at Trend Micro.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.