Is Security That Complicated

by Colin Berkshire

Colin here. I recently had to set up an account with a US Government web site. I had a dickens of a time picking a password. They had amazing rules:

  • The first character needed to be a number.
  • The password had to have at least 7 characters, but no more than 12.
  • Only lower-case letters could be used.
  • One special character had to be included, but only one, and it had to be the last character.

Pretty crazy rules, right?

But the real kicker was that the password needed to be changed every 60 days. And, this is a website that one would normally only access once a month. So here we have a password that cannot possibly be remembered and that needs to be changed very often. To the government agency this seemed like very good security.

I have done a lot of work with securing systems and I know that “social engineering” is usually more important than technology when it comes to hacking systems.

Here is the problem with this site’s thinking:

Because the password is incredibly convoluted, people simply must write it down. Thus, the password is likely to end up on a post-it right next to the computer, or be entered in plain text into a Contact on a cell phone. This means that the password is incredibly vulnerable. These complicated rules simply do not enhance security.

I am amazed by some IT people who don’t really understand security. They think that complication equals security. It does not.

A common concern with PIN codes is that people will re-use the same code everywhere. Indeed, the facts bear this out. Pin codes 1234, 1111, and a birth year are the most popular. Likely, at least some of you are guilty of this. So how does one have a secure PIN code without re-using the same code everywhere?

Here is a simple solution I have used for years:

On an ATM, start with the last 8 digits. Add together the first two digits (eg 4 + 6) and then keep the last digit of the result. This is the first digit of the PIN. Add together the next two digits, and this is the second digit of the PIN. Follow this patter for all 4 digits in the PIN.

The result is that you have a PIN number that is almost random, obscure, and is unique to every card. No two of your cards have the same PIN number. After a few uses you will probably remember the PIN for the card, and if not, the hint is sitting right on the card. A hacker is not likely to hack this.

For a web site create some mathematical formula from the URL itself.

Security can be simple. But you have to have some common sense.

Systems that excessively require that you change your password just invite writing the passwords down on post-its. When a certain position in a password must be a certain set of characters you have made it simpler for a brute-force hacker.

Personally, I would love to see a USB dongle that we all carry around and that we plug into a computer to log in. When I travel all of my sensitive data is on such a dongle. It has a numeric keypad on it. I enter the 8-digit password and the dongle unlocks. Four incorrect attempts and the dongle erases. That’s pretty cool.

Why don’t we get security?