The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 16-10

Password security - A lost cause?

Hardly any security technology has accompanied us as long as the password. Over the decades, there have always been optimizations, but the basic principle has remained the same.
Raimund Genes, Trend Micro
October 1, 2016
Content:
it security header
avatar
This text has been automatically translated from German to English.

Common to all optimizations is the desire for greater safety.

At the latest with the advent of modern password crackers, it is possible to estimate very accurately how long it will take to break a password using brute force for a given password length and a fixed character set.

The idea is simple: the more complex and longer the password, the longer it takes - and the more secure the password. That's the conventional wisdom...

Unfortunately, the problem is not quite so one-dimensional. Meanwhile, several factors play a very significant role in password security.

Good?

In the meantime, a trend toward more lax password guidelines can be observed. Less in terms of password length, more in terms of the required character set.

While some dismiss this as "less security-savvy," I see something different here: After all, entering passwords with special characters on a mobile device is time-consuming. So you only ask for characters that are easy to reach on the standard smartphone keyboard.

This decision then makes more sense when you consider the situation in help desks.

Passwords that are difficult to enter on a mobile device create a massive increase in user support efforts. To counteract this, policies are sometimes relaxed...

Too well-intentioned?

Research into efficient password cracking is very advanced.

Research on the step before that - the question of how we humans "think up" passwords - has only recently begun to surface.

A recent study by the University of North Carolina concludes that changing passwords too often and being too strict is more likely to harm security than help it.

This is because users tend to continue using the "old" password with simple modifications - and, for example, only change the upper/lower case or append additional characters.

Against this background, researchers have now developed procedures that try out many frequent modifications on an existing basic password and thus achieve their goal much faster.

Good enough?

In many security training courses, it is drilled into users to use different passwords for different accesses and to separate private and business matters.

But man is a creature of habit, reality looks different.

It must be assumed that many also use the same or similar passwords for their private accounts. This suddenly makes the hack of a third-party provider or supplier relevant - especially if passwords are stolen in plain text.

This gives attackers a large base of basic passwords at their fingertips, which they can simply try out with modifications against the company's access.

All's well that ends well?

The example of passwords shows that security is not a one-dimensional technical process. Technical decisions have a direct influence on other dimensions, on people and processes.

A decision that makes the system safer from a technical point of view may have a massive impact on other dimensions, so that the safety of the overall system may suffer.

Do you really need the maximum-security-with-special-character password for all services, or isn't authentication appropriate to the level of confidentiality also "good enough"?

Or, on the other hand, doesn't tinkering with the password simply address the symptom? In certain cases, authentication via two-factor or biometrics might make sense.

Deciding how to protect which accesses depends on people, services, processes, and technical capabilities.

And this decision must ultimately be made after a risk assessment and evaluation that takes into account more than just the technical dimension.

There is no general right or wrong here - decisions must always be seen in the context of the intended use and the willingness to take risks. And this applies to passwords just as much as to other techniques and processes in IT security.

https://e3mag.com/partners/trend-micro-deutschland-gmbh/

avatar
Raimund Genes, Trend Micro

Raimund Genes was CTO at Trend Micro.


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.