Wednesday, April 11, 2012

Chapter 8 and Password Security Rant

Two big sections of this chapter of the Software Development textbook are about user interface design and software security, respectively.  As I have a sizable amount to say about to say about software security and how it relates to password strength, I'll begin with what constitutes a good user interface.  Why?  Well, because it is good information, everyone has experienced a truly horrible website UI, and someone needs to put the word out there so the healing can begin.  The book lists 9 "principles" of good UI design buy I'll only list a small subset of those:

  • Simplicity.  This is probably the most important.  The page should walk a knife's edge balancing just the right amount of information on each page, just enough functionality for simple and intuitive navigation to the other pages, and painless viewing of embedded media.
  • Feedback and Recovery.  What the hell did I just do and how do I get back to where I was?  This should never be a problem.  Each page should clearly indicate what has been done, provide a way to undo what has just happened, and show the way to what can be done next.
  • Security.  Users should only have access to the functionality that they are authorized.  This one is actually pretty obvious, but it needed to be said.  And speaking of security...
The place where I currently intern is very savvy when it comes to data security.  All data on laptops is encrypted and a two-point login is required to gain access to Windows (I know, Linux is uncharted territory there).  First a key is required to get past the bitlocker drive encryption.  Then a network password is needed to access the VPN server.  But here's the thing:  data security is only as good as the people who use it.  And people are sometimes lazy and sloppy.  When working on user's computers I have seen bitlocker keys written on the computer in pencil, passwords on sticky notes all over the vehicle, and LAMINATED cards containing detailed login info tucked into sun visors.  I have had users attempt to give me their passwords over the phone...anyway enough said about that.  My point here is that data security needs to begin with comprehensive education and training of any employee who is going to have access to the system.  It needs to be a priority and addressed as soon as possible.  Because even the most rigorous security strategies can be trumped by simple human error.  This brings me to password strength.

'Chicken1' is not a good password.  Changing it to 'Chicken2' does not make it any better.  A good article by Chad Perrin talks about how the idea that a good password should be convenient and memorable needs to be done away with as soon as possible.  He then goes on to say that one way to be secure and still say sane (try to remember '2%4!G.>_!*5_02' every time you want to transfer money to checking) is to use a good password manager that keeps track of all the various passwords you use.  This is good advice.  By using a password manager you only have to remember one, and the rest are securely stored and encrypted for you.
Posted by at 6:33 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)