Never Convert Credentials
Document Actions
Never Convert Credentials
Never convert a "Something you Know" credential into a "Something you Have" credential.
I tossed out that advice in my post on Dave Kearns and Sxipper, and I obviously lost some people, based on the feedback I got. Dave seems to think I mean not to use "Something you have" credentials.
Nothing could be further from the truth. I am a big proponent of strong authentication. I am the BMC representative to the Open Authentication organization (OATH). I am also a big proponent of Information Cards, which for Self-Issued Information Cards is a "Something you have" credential.
Let me explain what I did mean. I meant you should not take an existing "Something you know" credential such as a password and use it like a "Something you have" credential. For example if you take your password and write it on a yellow sticky note, it’s no longer a "Something you know". It’s now "Something you have". Specifically, you have a yellow sticky note with your password. Anyone who has your sticky note (or a copy) has your credential. In your wallet, that pretty safe because you can be reasonably sure only you have it. Stuck to your monitor at work, it not safe.
Now if you use Sxipper you have converted your "Something you know" into "Something you have". That something you have is a file your computer. Granted you can lock your desktop when away from it, and that should be corporate policy everywhere. But you should never base security practices on what "should be" but rather "what is". Today you have to assume that many people will leave their computers unlocked in accessible areas. You can’t just whish that away.
One approach could be to put all your passwords in a file called passwords.txt in your home directory. Most security people would not recommend that. But how is that effectively different from using Sxipper? Sxipper is more convenient than a password.txt file since it will play the passwords for you automatically, but it is no more secure.
If you must write down passwords, I recommend that they be stored in digital form but not on your computer (on a thumb drive for instance), or in paper form in a safe location. Or you can use one of these. Another alternative is the Clipperz product which does not have the security issues inherent with Sxipper.
[Full Disclosure] Neither myself or BMC has any relationship (that I am aware of) with Clipperz or Mandylion Labs.
What do I use? I divide my passwords into three categories: internal BMC passwords, external frequently used passwords, and external infrequently used passwords. I do not write down my internal BMC passwords anywhere. We use the BMC Password Manager product internally and if I ever forget any of my internal passwords I can easily reset it. I don’t write down my External frequently used passwords either. I do store external infrequently used passwords simply because I don’t use them enough to remember them. These are stored in electronic media that is not on my computer.
_____
tags:
