Managing Password Complexity with Password Tokens
Strong passwords are essential to computer security and the protection of your information. The use of password tokens can help resolve the problem of trying to remember numerous long, random passwords.
For passwords to be effective (especially when exposed to the Internet) they need to be at least 10 characters long, a mix of numbers and letters (symbols are good, too), and randomly generated. You may need a number of these passwords in order to access various parts of your technology system. At one community bank, a whopping 15 passwords were required for an employee to interact with the system. Needless to say, password security was an issue at this bank.
Few of us have single sign-on systems. So it is quite difficult to remember all the various required passwords. Writing down passwords is not a good option. That piece of paper can end up being the keys to your company. And for passwords to be effective, it is important that they cannot be easily guessed. We all know that we need long, complex passwords to resist password crackers. This means you can’t use dictionary words or references to your life in the password.
One solution to good password security is to use what the computer security experts call two-factor authentication. This means you always use two different ways to access your computer: with something you know and something you have. This could be one complex password and a token that can be thought of as similar to a key.
These password tokens come in two main flavors. One is a USB device that has your other passwords encrypted on the device. You enter your one complex password (which is still hard to remember) to access all the other passwords on the token. Pass2Go, TrueCrypt, Imation Nano, BesToken, and many others manufacture these devices. However, you need to be able to plug them in to a computer to use them, and many companies prohibit employees plugging in USB drives because they can be infected with viruses.
The second type of password token has a display on the token so you never have to plug it in to a computer to access the password. Entrust, Cryptocard, Mandylion, and others manufacture these types of tokens. Many of these tokens use one-time passwords and require significant infrastructure support to be effective. An exception to the infrastructure issue is the Mandylion system. The Mandylion token has a display that shows your list of passwords only after you enter a complex password to access it.
The trick to the system is that your complex password involves pushing four keys in sequence. Because you are combining both mental and physical memory, in a sense, it’s much easier to remember a series of keystrokes than a long password. The token will then display a list of passwords. It also will destroy the internal list if you make too many mistakes entering the keystrokes. It can be managed by an administrator station and lists of passwords downloaded from a central datastore.
John C. Shovic is a partner in Coeur d'Alene, Idaho–based MiloCreek Consulting.
