This is from dictation. Laugh if you must.
Thanks for your reply, BC.
Perhaps I need to back up a bit and explain why I got into this peculiar ideal. The point here is not just coming up with a password that's hard to guess. That is only part of the overall scenario.
Data security has for major columns of support.The first pillar must be the e physical security. That means the equipment itself must be physically secure from anybody coming in and sneaking a peek at the computer hardware and having a chance to fiddle with.
The second pillar must be personnel security. Only individuals who are trusted should be employed by the firm. Even the janitor needs to pass a security check.
The third pillar of data security must be acceptable practices. Using one password for several different accounts should be considered for bid and practice. Instead, there could be a secret password table that is known to a few administrators and this password table could be used as long is it is a secret. The use of e-mail related passwords should be forbidden except for e-mail that is associated with a secure server. So the company would have to have its own e-mail system for its him ploy ease and the employees would never years their personal e-mail resources on the top companies computer. Such a list of acceptable and unacceptable practices is a key ingredient in data security.
The fourth pillar of data security is coming up with a password scheme that cannot be easily broken, tampered or foiled or disrupted. The fact that a password is very hard to crack by brute force is not enough. There should be in place some mechanism to prevent brute force attack of it password protected service. Even if it password is very, very difficult, that is of no value if there is a backdoor mechanism that to go around the password.
Now then, if we can agree that there are some four pillars of security we can say tha
t the security level would be the product of the four pillars. Never assume that it would be the sum of four pillars. It doesn't work that way.
When the maître of something is a product, it means that any of the values used in the product must not be zero. If just one of the four pillars of data security has a value near zero, then the end product will be near zero. It matters not that the other three pillars of security were very high.
There is the issue. Somehow people seem to think that security is simply the sum of the pillars. That doesn't work you cannot make up for the deficiency in one area buying creasing or raising the bar in another area. Yet many people seem to think that all you have to do is make one or two of the security pillars very tall and then it won't matter that the others are short.
I know this sounds kind of abstract, but this is the way you have to reason it out. It's not about the value one thing. It's about the value of a number of things, any one of which must be more valuable than nothing.
To put it another way, take the case of the first pillar. The physical security. It just anybody can Kim in and out at any time and fiddle with a company computer, then that pillar as a value of zero and sooner or later the company is going to be hacked no matter what kind of security levels they have in the other areas. Physical security has to be a very high level. But we can't say that it's more important than anything else. All four pillars are important. They all have to be at a high level to be effective. If just one of the four pillars is at a very low level or near zero, then the whole system is weak.
Case in point. From time to time we hear about how big huge companies have had terrible data breaches. How can this be? Because they did not make sure that all the pillars of data security were in place and said that a high value. A common problem is a weakness in the security of personnel. They allow people with very poor security clearance to come in and out of the building. It could be a janitor, that pizza delivery guy, or somebody who claims to be a building inspector. Anybody who comes into the data center must have some kind of security clearance. Forget that and you might as well forget about data security.
All right, now let's get back to the password thing. To prevent weaknesses in the password scheme, there must not be an easy way to get around the password. Very poorly designed password security systems are a weakness. A ell-designed system
should not have a password reset or password recovery option. If everybody involved in the data security process has been well educated, nobody should ever forget their password. And even if they did forget it, there should be a way for them to recover the password from among their peers, not from some distant third party agency.
That is why I was suggesting there should be a way for people to remember either their password or a password table that Ted can be recovered through some type of algorithm that is a secret known only to trusted employees. The number of simple algorithms for making clever passwords is somewhere in the tens of thousands or maybe even higher. The one I suggested was where you choose common dictionary words and specify the length of the word and certain letters that must be used inside the word. That will give you a small set of words that can be printed out and distributed to trusted employees inside the data center. Of course, that means that everybody who works inside the data center should have a very high level of security.
If you have disloyal people inside your data center, no amount of password ingenuity is going to protect you from a data breach. On the other hand, if your employees are really well trusted people, and you know they are loyal, you could give them a table of passwords that can be used only for applications relating to the data center operations. This could be a published table of 100 acceptable passwords. That table must never, never be published to any outside agency. Is that too much to ask of your employees, I think not.
This is perhaps longer than what I expected, but I wanted to make clear why I was using such a zany crazy idea. It's not really so crazy when you think about why it is that so many data breaches have taken place. It was not really because the passwords were weak. Almost always it's a case of something else being weak in the data security system.
Of course, one should not be using passwords that are just too easy to guess such as:
qwerty
123456
iamjesus
kissmybut
Those are just two simple to be effective. On the other hand, very complicated passwords do not make up for other deficiencies in the overall security system.
End of Dictation.