Tuesday, April 3, 2007

Passwords Part 1/3 - Defending the IT Guys

Passwords. Ugh! If you are at all like most people I talk to, you don't like passwords. Actually, most of us security guys don't like them all that much either.

In "Passwords Part 1/3" we are going to explain some things. We will explore what a password is and why these IT guys are always on your case about them.

"Passwords Part 2/3" will dig into some detail about what a "strong" password is and detail some tips to help you to come up with your own.

Finally, in "Passwords Part 3/3" we'll outline some tips and tools to help you keep track of all your passwords. None of these tips or tools will include a pen, a piece of paper, or the underside of a keyboard!

So, let's get this ball rolling. Do you ever wonder why IT guys are such sticklers about passwords or why they have to make things so dag nab hard for you? In order to understand where the geeks are coming from you need to know a little bit about "identification" and "authentication". I won't go into a lot of detail on these two terms, but I will give you a general sense of what they mean.

Identification is what you present to a system to profess your identity. It tells the system who you are. Many times identification takes the form of a username or userid. Typically usernames are not secret. If my name is Bill Smith and my username is "bsmith", your name is John Doe and we both use the same system, I can make an educated guess that your username is "jdoe". Identification is important in order to define what it is that you can do in the system, called rights or privileges. Some people get to do more with a system, file, directory, etc. than others.

Authentication is what you present to a system to prove your identity. Anybody can say that they are me, but who can prove it? There are a variety of methods of proving your identity, but for the purpose of this writing we are talking about passwords. Once I have presented my credentials (identity + password) successfully to the system, then I am "authenticated" and I am given my assigned access to the system.

If I have a password that nobody else knows does this not prove my identity (at least theoretically)? What if someone else DOES know my password? Proof is gone. Someone else can impersonate as me and do what only I should be able to do. Protecting the confidentiality of passwords is paramount IF it is your method of authentication to a system. The IT guys don't care what your password is, they want to make sure that confidentiality is maintained. Period.

Maintaining the confidentiality of passwords means that they must be strong (Part 2/3) and stored securely (Part 3/3).

Check back tomorrow as we continue...

No comments: