Passwords and Symmetric Secret Keys are virtually identical in that they rely on the sharing of a secret. In order to keep symmetric ciphers secure, engineers have utilized many security techniques — all of which passwords can also utilize. The main difference between these two secrets is that employees do not generate or manage Keys. So, why should they generate and manage passwords?

By transferring many of the same security practices found in Secret Key operations to password management, you begin building the foundation of a Password Authentication Infrastructure (PAI).

Here is how you can adopt the elements that make…

“I’m still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization.” ~ Kevin Mitnick

Symmetric Ciphers and Keys

In the last article “You Encrypt to Stop Governments, Not Your Kid Sister” I discussed one-way encryption used to create message integrity. Now, it‘s time to talk about authorization. Authorization is accomplished using one of the oldest and simplest of encryptions — Symmetric.

Encryption’ and ‘cipher’ are just fancy terms used to describe…

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

~ Bruce Schneier, American cryptographer

Frequently, I hear security experts comparing password security to other computer authentication solutions like Digital Certificates and Public Key Infrastructure (PKI). Many of these comparisons are misguided, and even wrong. My main dispute is that they are comparing one of the factors of authentication (knowledge) to an entire authentication infrastructure which is made up of hardware, software, third-party verifications, and policies. …

I admit, the last Principle, “Damn it, we’ve got to blame someone!” was a little heavy. Having been in the password authentication business for a very long time, I’ve seen both good and really bad ways employees manage their passwords. Maybe you have also been guilty of implementing one or more of these tactics. These examples should drive the point home. Following are some of my favorite stories about password security I’ve seen over the years.

One of the most common practices to manage secure passwords is to use a word processor document or Excel spreadsheet file titled “My Passwords.”…

Federal and state data privacy regulations place expensive fines and even incarcerations on companies and their executives that fall victim to a data breach. While every company needs to implement network security and cannot be negligent in protecting its customer’s personal data, are businesses that utilize commercially available network products really 100% liable for a breach?

Every company, institution, and agency today uses computers and networks to operate their business. These same networks rely on third-party products like operating systems, applications, browsers, Internet, email, hardware drivers, and a whole host of other hardware and software products. These products are often…

Network security is only as strong as its weakest link. Ironically, the weak link — the employee — is in charge of login authentication implementation. Companies allow employees to dictate their first line of cybersecurity defense by allowing them to generate and manage company login passwords.

“Vulnerabilities of one system cascade into other systems, the result is a vulnerability that no one saw coming.”

~ Bruce Schneier

Employees tend to create shortcuts and workarounds that include using the same password in multiple places, writing them down, or trying to come up with something easy to remember and type.

The combination…

Many authentication technology pundits like to post articles about killing passwords. They bloviate on how passwords need to be replaced by a different factor of authentication. Why other factors of authentication are more secure than passwords. To this, I say, “Bull!”

Authentication factors don’t govern security; it’s the authentication infrastructure that that determines security. If the infrastructure is flawed, you can’t trust the authentication. If credentials have no anti-cloning, forgery occurs. If fingerprint biometrics can’t distinguish a live from a fake finger, false verification occurs. If password management is insecure, the virtual front door in unlocked.

Most credential and biometric…

The media has confused hackers and crackers. Not all hackers are crackers, but all crackers are hackers.

A hacker (also called a White Hat hacker) is someone who is able to analyze, take apart, and then re-assemble a device or code to make it do something it was never intended to do.

A cracker (also known as a Black Hat hacker) is an individual with the same skills as a hacker, but they use their knowledge to do harm for personal or financial gain. The harm or devastation they do to businesses, governments, and individuals is of no concern to…