Saturday, February 26, 2011

How about password security?

Password security may look like yet another oxymoron, as two intrinsically contradictory terms. If it is a password, how can it be secure?

Indeed, there are many and valid security arguments not to use passwords. You can find a summary in the paper Take Five In Internet Security where, in a five-minute appraisal, we present and discuss a typical dialogue with someone claiming that they have a secure server while using username/password authentication.

However, not all passwords are created equal. ZSentry, for example, uses two-factor, strong authentication without passwords -- even though, for familiarity, the second-factor is called ZSentry Password.

This is important for usability, as passwords are easy to use.

The security difference is that ZSentry does not store your Usercode or Password, not even encrypted. This technology, called ZSentry Sans-Target, solves the vulnerability problems of common passwords, including dictionary attacks and password files, as described in the study Take Five In Internet Security.

The ZSentry technology eliminates common online targets such as username/password lists, names, email addresses, plain text user data, meta-data, and even the encryption/decryption keys themselves, while adding two-factor mutual authentication, adaptive security, and password-hardening.

The critical point is that ZSentry Sans-Target provides the best defense possible against data theft -- the best defense against data theft is to not have the data in the first place.

Another important point is that ZSentry is not as dependent on password quality for security, as conventional systems are. With ZSentry technology, passwords are paired with an unpredictable ZSentry Usercode, and both are not at risk anywhere.

Nonetheless, it is recommended that ZSentry passwords should include at least one control or punctuation character. All of the characters !@#$%^&*()_-+=[]|\;:"?/,.< >`~' and space can be used in ZSentry passwords (space cannot be used at the beginning or end of a password).

For advanced password use, for maximum protection, you can use ANSI codes from #32 to #255 (keyboard ALT-number, no space at the start or end of a password). This simple strategy enables more than 132 bits of entropy with just 13 ZSentry Password characters (and the Usercode).

The conventional difficulty for using ANSI codes in passwords is solved by the ZSentry function Password Peek (during signup and login). You can easily see and verify what you typed before you submit, even for ANSI CODES such as ALT-0159 for Ÿ (Latin Capital Letter Y With Diaeresis).

With ZSentry, you can now use passwords as securely as you want.