User authentication for access control systems is accomplished using username and password combinations or PIN codes. These passwords are referred to as
reusable passwords in security jargon. This system has been in use for many years and will probably continue for many years to come. Some alternatives to reusable passwords are discussed in the course of this chapter and in other chapters of this book because the mechanism hasn't kept pace with the introduction of new features, tools, and techniques in the computing technologies industry.
The list of disadvantages and weaknesses of reusable passwords is long. Statistics have proven that many users have a tendency to pick weak passwords. Also, experience tells us that users can easily violate the security rules defined in the password security policy. For instance, employees share passwords with colleagues for various reasons. Many passwords do not conform to the password security policy. Passwords can violate the following security policy requirements:
Users select obvious passwords.
Password length requirements are violated.
Password lifetime requirements are violated.
Use of characters and character classes are violated (uppercase, lowercase, numbers, punctuation).
The fact that passwords or PIN codes can be used more then once is an inherent weakness that cannot be solved without considering new technologies.
A few enhancements can be used to improve the security of reusable passwords. Developing and implementing standards and policies can result in a better understanding and awareness of the weaknesses inherent in reusable passwords. There has been a recent increase in commercially available alternative authentication mechanisms such as challenge/response and time-synchronized mechanisms, tokens, and biometrics.
The following list is a sample password policy providing users of computer systems with the necessary minimum criteria for password-related information:
Password length Eight characters or more
Character classes Upper- and lowercase letters
Characters Mix of numbers, symbols, and letters
Grammar check No dictionary or jargon words
Recurrence No use of the same character more than twice
More details on password policies and network security policies can be found in Chapter 5.