Why you should care about passwords

 - 
09/02/2008
Lately, people have been sending me any number of articles about the importance of passwords, whether it's this bit about making sure your password can't be easily guessed or today's article from Ars Technica about the likelihood that a fired systems administrator will steal your passwords and use them against you maliciously. Why is this a physical security problem? Well, obviously, as physical security systems move increasingly onto the network, we've heard lots of talk about how integrators need to work with and sell to the IT department. Well, maybe there isn't exactly the same moral certitude in the IT department as there might be in the security department. Maybe there is. But it's at least something that isn't often talked about when we talk about "selling to IT," etc. That Ars Technica article reports these findings: The results of the Trust, Security and Passwords study are based on a survey of 300 system administrators at the Infosecurity 2008 event in Europe. Of the study respondents, 88 percent admitted they would take sensitive data with them when leaving their current place of employment, and approximately one-third said that they would abscond with company password lists. Of course, IT departments already have vital roles in the protection of data, which can be more valuable that physical assets, but before physical security systems were networked, they didn't exactly have the power to risk people's lives. Now, increasingly, they do. If, out of spite, a fired employee builds a hidden doorway into your access control software on his way out the door, that could be very bad, indeed. As systems integrators, it's vital that you make management aware of who should be privy to which passwords involved with the security system, and why. Especially if the head of security comes from a physical background, and is particularly reliant on the IT department for help in administering the system, you need to provide that person with the particulars of what to look for should an IT employee with access to the system be replaced. And you should make certain that final access authority resides with the security department and not with the IT department, to make sure accountability is where it ought to be. Anyone else have the experience of a supposedly "nice" guy wiping his hard drive clean on the way out the door? If so, you know how important it is to manage employees who've been let go. Emphasize this to your customers and make sure the security system is prepared for vindictive attacks. Oh, and don't use your cat's name as your password. I would never do that. Rather, I combine the name of my old, dead cat, with the name of my all-time favorite prog rock album. That's much more secure.