Back to School

Computerworld - Let's say this upfront: That Princeton University admissions director was wrong. He was wrong to "test security" on a Yale University admissions Web site designed to let prospective Yalies find out whether they'd been accepted. He was wrong to repeatedly access would-be students' records using names, birth dates and Social Security numbers from Princeton's admissions files - including that of President Bush's niece, Lauren . He was wrong, yes - and criminally dumb on all counts. Now let's move on to the other criminally dumb figure in this fiasco. That Yale Web site was designed by a self-promoting Yale sophomore who brags that he has worked for Microsoft since he was 14. He's the genius who decided that birth dates and Social Security numbers would make the perfect passwords because of their "personally identifiable nature," according to the Yale Daily News, the student newspaper that broke the story late last month before it was picked up by The Washington Post and the wire services.
"Personally identifiable"? What was this kid thinking? If there's one thing we don't want a password to be, it's a piece of information that's easy for an unauthorized person to guess or learn. And that's exactly the kind of "authentication" you get from birth dates and Social Security numbers.
Yes, they're easy for users to remember. They're also incredibly easy for outsiders to acquire. Employers ask for them. Credit-reporting companies are awash in them. Many states even include them in publicly available driver's license records.
Which means they're worse than useless for authenticating that a particular user is who he claims to be. Asking for such easily acquired information as a password is like begging unauthorized users to walk in.
Does this seem obvious? Good - that means you haven't forgotten Security 101. You haven't been sucked in by the idea that in a world of firewalls and VPNs and crypto and biometrics, the old rules about security no longer matter.
Sure, those security technologies are a good and valuable thing. These days, no one can protect systems without them. Piling on as many barriers as possible to protect proprietary information and user privacy just makes good sense.
But that's only a beginning. It's no replacement for real security.
That's why good passwords still matter. So does regularly examining access logs - the logs for that Yale admissions site clearly showed the suspicious cluster of accesses from Princeton, but no one reviewed them until after the unauthorized access was exposed.
Outside audits of security still matter,