Two-factor authentication might be a great way to bolster log-in processes across the enterprise and even on the Web, but when it comes down to it, the typical authentication process using something someone knows--typically a password--isn't going anywhere anytime soon. Nevertheless, some security professionals wonder whether it is time that the industry take stock: They think organizations should at least consider replacing these difficult-to-remember, difficult-to-secure jumble of alphanumeric characters with more memorable and secure passphrases.
Sure, passphrases are not as secure as a token or some other two-factor authentication method, but they're more secure than "12345" and much easier to remember than some strange concoction like "b4x87g-m."
While it might be tempting to blame end users for coming up with crummy passwords, Nick Selby, a Texas police officer and managing director of enterprise security consultancy TRM Partners, believes the problem is not because users are too dumb to absorb security training, but because security practices put them in an impossible situation.
"What can't be trained is demanding that people use something which is impossible to remember--and then demanding that they remember that. And attendant with that is not writing it down. You can't remember it, and you can't write it down," Selby said. "Is that a user issue? I don't think so."
His argument is that passphrases, such as a sentence from a favorite book--are easier to remember and harder to crack than most passwords today, even without special characters. Many within the industry back him.
Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)
