The Basics of Security

                In any environment, the security system is only as strong as its weakest link. Why would you have a state of the art firewall if you just left the root admin password as default? Why would you lock down your network shares, only to share out account passwords? Why would you require an incredibly complex password, just to write it down so you can remember it? You can create layers and layer of security, but in an IT environment, at the end of day, everything starts with a password. And that’s what we’re focusing on.

Enter: The Gateway

A password has repeatedly been shown to be the weakest form of protection in this day in age, but unfortunately an easy replacement hasn’t been found so we are stuck with it. It is the gateway to everything we do. We use it to get to our online banking, we use it to access our email, we use it to access our phones, our pictures, our videos, everything in our life.

A Security Facade

                I bet you think your password Xe4%$!@ is secure? Well you’re half right. It’s definitely more secure than Password1, or Temp123, or your son’s last name and his date of birth. But let’s say for a second, you come in as an IT Admin, and you require EVERYONE’S passwords to be, at least 2 special, 2 numbers, upper and lower. How many people do you think can remember that, or care enough to remember it? My bet is not many. So they write it down. So what’s the point of your complex password requirement again?

The King of Complexity

                WhatIfIToldYouThisIsBetterThan Xe4%$!@? Sorry, if you couldn’t tell that’s a password. Length reigns supreme in password complexity, and doesn’t really make it more complex. What’s easier to remember? IRememberThis or Xe4%$!A? You have your answer. Just one character exponentially increases the amount of time it takes to crack a password. This is where you should focus your password policy on.

More Facade

And don’t come saying “But we have a maximum of 5 tries before the account locks out!” 99.9% of brute force attacks are done on an offline SAM(Security Account Manager, the database that contains accounts/passwords for a Windows environment). Those will not take in to account your lockout times. In fact, reducing the amount of times an account locks out, increasing password resets, and increasing password complexity leads to one thing: people writing down passwords. Don’t take this as me saying don’t have password requirements, of course have them, but there is such thing as too much.

But At The End Of The Day…

                Hackers will always be ahead of the security experts. This much is a fact; it is an adaptive environment. Also, just another fun fact: Quantum Computing is becoming much more mainstream, and throws all aspects of security that we currently know out the window. Encryption that used to takes years of crack, now takes days. I’ll leave you with that note.