Security best practice is making things less secure

May 7, 2009 at 10:42 pm · Filed under Observations and Ramblings, Work Related Stuff and tagged: komg, rfid, security

When I worked in KPMG, I used to do IT general controls reviews (pretty much the entry level for companies that wanted to use our department – Information Risk Management). Basically we would review the general IT control environment and then give feedback on how to make it stronger.

There was a passwords section for which we said:

• make sure passwords are over 6 characters in length
• make sure passwords have numbers as well as letters
• make sure passwords are changed every 60 days

Well that is all BULLSHIT!… I am so sick of logging into a website where you share pictures of your dog only to be told during the sign up process “your password needs to have 6 characters in it” WHY? just in case someone hacks my account and maliciously sends out pictures of someone else’s dog? 

Remembering all the passwords is so hard for anyone to do, that you end up writing them down. Same with bank account PINs. I have them in my phone. In short the security is weakened by best practice for strengthening it. Apart from writing it down, people use the same password for their god sharing site, as well as their banks.

Something needs to be done? but what?

• Don’t require passwords for stuff that no one gives a shit about, like dog sharing. Or allow weak ones. Don’t force people to change them.
• People can do a few things: a) have lower level security passwords for dog sharing, and higher for banks, oer b) derive the password from the name of the site you are signing in to.
• Work out biometrics. It has to work. Eyes, fingers, face recognition… its not that hard, surely.
• Use your mobile phone as an RFID device with your digital signature on it, and one 4 to 8 digit code that you put in 

Anyway that is enough of the rant, I’m off home to Brooklyn to eat!

Comments