"A Strong Password Isn’t the Strongest Security"

This article from the New York Times (September 4, 2010) points out that strong passwords, on their own, are useless against keylogging software (the kind that captures your keystrokes and sends them to a bad guy somewhere who then has your username and password, no matter how strong). Cormac Herley, a Microsoft security expert, is quoted as saying, “Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords."

Furthermore, requiring strong passwords encourages users to write them down, usually in places they can easily be found. So much for security.

What I find most interesting about this article, though, is the emphasis on the responsibility of  system administrators for security. All the rules for strong passwords shifts an unreasonable - and possibly counter-productive - burden onto end users, who might be able to guard against keyloggers, but certainly not as well as sysadmins. As Mr. Herley says, "It is not users who need to be better educated on the risks of various attacks, but the security community. ... Security advice simply offers a bad cost-benefit tradeoff to users."

We're all in this together, to be sure, but  lets delegate responsibility appropriately.

Ken Pimple, PAIT Project Director