Friday, October 03, 2008

How secure is a password?

Following my security theme today, I've never seen much value in passwords as strong security measures - they need to be easy to remember for the user, and therefore rely on common letter and number patterns of relevance to the user, which inevitably become easier to break.

People need to remember passwords for many different services. I count at least 50 passwords I personally use on a monthly basis including phone, ATM and online.

This makes it tempting for people to,

  • reuse a few passwords across sites/channels,
  • use a common pattern for passwords (family birth dates for example), 
  • rely on password memory memory systems (in web browsers or centrally through services such as Microsoft Live), and/or 
  • write and store passwords in easy-to-access places.


A five second Google search threw up a large number of articles decrying the weakness of passwords as a security method.

One I found interesting was How I'd hack your weak passwords, which provides details on the mistakes people make when creating passwords, and points out that when people use the same password across multiple sites the password is only as good as the weakest site's security.

So what's the alternative?
Given that passwords are not a strong security measure as they rely on the user to select secure passwords, the only real alternatives are to,
  • Use more physiologically unique approaches to security (retina scans, fingerprints or brain waves),
  • Employ physical tokens (random number widgets, cards or similar devices),
  • Use innovative alternatives to passwords (such as join the dots)
  • Make it clearer to people what is at risk and educate and support them in creating stronger passwords.


Given that most people are unwilling to spend extra money on a PC attachment to allow biometrics scans (though, like seat belts in cars or fire alarms in houses, they could be mandated by government and rolled out with new PCs over time) and issuing physical tokens is a costly exercise (and prone to physical theft), the most viable short-term option is to improve how we communicate with our customers.

I think that we could do a better job of educating people on how to create and manage large numbers of secure passwords, and addressing this area would by itself save significant costs in terms of fraud prevention and personal loss - not to mention password reset calls to call centres.

In the longer-run, I see a strong case for mandating biometric scanners on PCs.

What do you think?

Read full post...

Recruitment in the age of Second Life

Missouri's state government is struggling to manage the need to competitively attract and hire IT professionals in the face of a wave of baby boomer retirements.

Their solution, as detailed in the NextGov article, Cat's in the Bag!, has been to explore new (and cheap) ways to reach young professionals - even when they come dressed as a cat with a red bowtie to the first job interview.

The CIO of Missouri has been holding virtual career fairs using Second Life.

As discussed in the article, it's important to seek new employees where they congregate and feel comfortable, rather than solely relying on techniques that worked in the past, but do not reflect the cultural bent of highly qualified applicants today.

Seeking technologists and trolling for employees with disabilities in virtual worlds makes sense. Techies are well represented there due to their curiosity about new computer frontiers. And the disabled, especially those with physical handicaps, often are attracted to worlds where those problems no longer hinder them.


For an investment of only a few hundred dollars per year in virtual worlds his ROI is excellent - and the little cat with the red bowtie, the avatar of a recent computer engineering graduate, now has a job at Missouri's Department of Natural Resources.

The opportunity cost for other organisations not yet using digital aid recruitment tools is only likely to grow over time.

Read full post...

Biographical secret questions weakening as security measures

Due to the rise of online social networks and informational sites, secret questions based on biographical information are losing strength as a supplementary to password-based security.

As discussed in a Time article, Those Crazy Internet Security Questions, as more information on individuals becomes easily available - either provided by them directly or via government, corporate and collaborative online databases - the secureness of personal questions diminish.

The article provides a ten second case study on how easy it is to get the biographical information of a prominent person from their wikipedia entry and online postal database.

Speech transcripts, videos, blog posts, social network profiles, news sites and genealogical websites can also provide significantly more information quickly and cheaply.

It's slightly more difficult to get information on an 'unknown' person - but many are doing hackers the favour of providing their own biographical information online - as well as adding to the available information on their family and friends.

This raises a need to steer secret questions away from purely biographical information, or seek stronger alternatives.

So what was your mother's maiden name again?

Read full post...

Thursday, October 02, 2008

Building a better Vic whole-of-government intranet

Yesterday (Wednesday) I was privileged to attend a think tank in Melbourne discussing the future of the Victorian Government's whole-of-government intranet, CentralStation.

Being the only state government in Australia I am aware of with such a tool, I was surprised to learn that it had been originally created in 1996. To my knowledge that makes it one of the earliest whole-of-government initiatives in the world supporting public servants across state departments, authorities, local government and other public bodies to collaborate and share information more effectively for the benefit of citizens.

The intranet has been redeveloped several times and currently has a dual focus, providing both whole-of-government content and collaboration tools.

The event was attended by around 30 representatives from state agencies. It was also attended by an invited five person expert panel of experienced online professionals from the Vic private and educational sectors and from the non-Vic public sector (such as myself) to provide an external perspective on the initiatives Victoria is considering.

I think the event went well, with some excellent contributions from the group and several 'ah ha!' moments.

My views from the day on the approach were as follows,


A whole-of-government intranet,

  • can provide 'communal good' services assisting councils and department to work together in ways which cannot be cost-effectively provided by individual government agencies,
  • must support and complement departmental intranets rather than compete with them,
  • requires strong central governance to maintain content standards and review processes, while allowing autonomy to engaged groups,
  • needs to consider a 'narrow and deep' approach to content and community by focusing on assisting and supporting key groups to achieve their goals rather than simply providing an infrastructure which groups need to self-develop, and
  • requires an ongoing promotional strategy to engage public servants and ensure the intranet's functionality has sufficient awareness.


From reflecting on the day, my impression is that whole-of-government intranets are useful tools for aggregating and distributing services and information across government bodies, such as,
  • cross-agency collaboration tools,
  • cross-government expert discovery (people finder focused on skills rather than names),
  • cross-goverment information sharing based on topics of common interest (shared bookmarks, forums, blogs and research),
  • build awareness and share best practice functionality implemented in specific department/council intranets (possibly providing their central operational infrastructure, and
  • support ongoing development of a cross-government public sector identity (what is it to be a public servant in Victoria).

I wish the CentralStation team at the Department of Innovation, Industry and Regional Development (DIIRD) all the best in taking the outcomes of the think tank forward in the next generation of Victoria's whole-of-government intranet.

I would also suggest that other jurisdictions could learn a great deal from Victoria's experience in operating their whole-of-government intranet for the last 12 years.

Read full post...

The internet has made us all influencers

Reflecting Forrester's Groundswell report, Universal McCann has released a study detailing how the internet has turned all customers (citizens) into influencers.

Titled INTERNET USERS, THE NEW INFLUENCERS - When did we start trusting strangers? (PDF), the study included around 17,000 internet users from 29 countries, finding that enmasse customers have moved from being passive consumers of products and services to active participants in their creation and evolution.

This has been characterised by three trends,

  • the rise in social networks,
  • the importance of digital friends, and
  • the proliferation of influencer channels.

This has led towards the 'democratisation' of influence online - making every internet user both a potential creator of content and influencer of others.

The study found that organisations needed to reach out to internet users, becoming,
  • transparent and honest,
  • participate in the conversations,
  • encourage customers to share their opinions, and
  • approach and collaborate with new content creators.

A slideshow is available as below...



Key findings included,
  • 44% of people surveyed have a blog (compared to 28% in 2006),
  • 57.5% have a page on a social network (compared to 27% in 2006), 
  • 42% download video clips (compared to 10% in 2006),
  • 34% of users share their opinions about music, and
  • 55% share their photos online

Internet users do not rely on brands to inform themselves. 
  • While 69% visit brands’ official websites,
  • 82% prefer to search for information on a search engine 
  • 55% prefer to read people’s comments on personal profiles on social networks like Facebook.

The preferred methods for exchanging information about a product were,
  • via instant messaging (44.5%),
  • via email (42.4%),
  • followed by blogs (30.4%), and
  • social networks (27.6%).

Read full post...

Bookmark and Share