SAN FRANCISCO — Look around your computer. Chances are good there’s a yellow sticky note somewhere with a password on it, especially if it’s a long, complex password with numbers and letters and maybe symbols — the kind that’s typically assumed to be harder to crack or guess.
But that sticky note represents a greater risk to your company than the code-cracking attack that the long passwords are designed to defeat in the first place, said Dan Houser, principal architect for security at Huntington National Bank.
“The longer, more complex you make a password, the more likely it is the user will write it down,” he said to an audience of information security professionals at the RSA Conference here.
A password breach is more likely to occur through disclosure ”with someone looking at the sticky note or ‘shoulder surfing’ as the user enters the password” than through code cracking, he said.
Therein lies the rub.
He said 10 percent of users will write down their passwords no matter what.
“That doesn’t mean they’re sticking them on their forehead. They might be actually putting them in a locked file cabinet, but 10 percent of them are probably violating policy at any given moment and writing down their passwords,” he said.
Another 45 percent never write them down. And the remaining 45 percent are more likely to write them down as they grow in complexity.
“Controls to prevent password cracking and guessing have an inverse relationship [to] disclosure, which is why there’s a problem here,” he said. “It’s in the wet ware” — as in software, hardware and you, the wet ware.
Houser’s solution: simple, six-character passwords that the user can remember without writing down. He suggests acronyms instead of common words or sports teams that can be quickly found by dictionary programs.
Still, would-be password thieves lurk in every corner.
In a keynote speech yesterday, RSA executive Art Coviello complemented Bill Gates for his performance in leading the industry on this issue during a nationally televised interview last week.
Coviello showed a clip from Gates’ appearance on “The Daily Show with Jon Stewart” in which Stewart asked Gates point-blank for his password.
“You don’t have to answer that,” Stewart said. “Is it Gates?”
Then he snooped some more.
“Do you have pets? … Did you ever have a pet when you were young? … What was the pet’s name?”