Why do you have to remember passwords?

bidden questionI am often amazed how the security industry concludes that passwords must be something the user knows, and that smart cards are the PKI tokens that the user has.  Here at Access Smart, I challenge these beliefs with an enterprise password management solution.  Why does a person need to know their passwords?  All they really want is secure, convenient access to their accounts and data.

Reading though many NIST security documents they often discuss the strength of symmetric (shared) key security over a password. Well in my world I often argue that passwords are secure, but what is insecure is how users managed them. Employees are often the weakest link when discussing security, and it is not just about passwords. 

Thieves will dumpster dive because sensitive information was not properly disposed.  Thieves use social engineering to get employees to reveal sensitive information.  Hackers love social media for the wealth of information people will spill about themselves. If you take the employees out of the equation, then a password can be just as long, complex and secure as any symmetric key encryption security. Plus, they can be changed as often as deemed necessary by IT.

When a company’s IT department has centralized management of password security, then a password of 20, 50 or even 250 character long is achievable.  To get this level of security then a credential based enterprise password management solution needs to be deployed.

Access Smart uses smart cards for its overall security capabilities. For example, the ability to protect the data stored in the chip by limiting the number of false authentications before locking the card.  The data stored on the chip is encrypted using AES-256, and the passwords are salted and hashed with SHA 256 encryption.

Smart cards are not infallible.  Anything created by human can be broken by human given enough time, money and resources.  That’s where a risk assessment comes in as to the value and motivation for someone to want the data.  There is no single component that completely secures computer information.  It takes different methods depending on the threat and risk assessment.