'Passphrases' not PINs, say Corsaire

In fact, says Corsaire, the security and penetration testing specialist, although many people believe that the latest security solutions being employed in areas like e-commerce and online banking will protect them from fraudsters, this may not always be the case.

According to Corsaire, one of the weakest passwords for online transactions is the PIN, especially if a customer is using the same PIN with both a cashpoint card and for online banking.

The Surrey-based firm claims that not only is a PIN a weak authenticator because of its short numeric value, but users may also be tricked into disclosing their PIN to a third party, which could expose the 'physical' card to the possibility of a 'virtual' attack, as well as the unauthorised use of stolen or cloned cards.

"Using the PIN from your cashpoint card as an online password is a very bad idea from a security point of view, and should be avoided", explained David Ryan, associate principal security consultant with the firm's security assessment team.

"PINs are arguably as secure in the real world as they are used in closed systems with strict lockout criteria, but these benefits are lost when these same credentials are used online", he said.

Ryan argues that, for internet users, the process of authentication is typically achieved with the submission of a username and password. In some cases, users are also required to enter additional personal information (such as date of birth) or to enter a selection of digits or characters from a second 'secret' value.

Against this backdrop, Corsaire has been urging banks and other organisations to implement password policies that are based on minimum character lengths, and which include reasonable – but not overwhelming –complexity.

This approach, says the firm, can provide a solid, inexpensive way of authenticating users, but only if the password policy is being enforced by the system, and if users are given guidance on what constitutes a strong password.

Multi-word 'passphrases' should also be promoted in place of passwords, according to Corsaire, in order to make attacks from online criminals more difficult.

The main advantage a passphrase has over a password, says Coraire, is that the length can be significantly increased, without making the password overly complex, and can thus increase the overall strength of the user's password by multiple factors.

What’s Hot on Infosecurity Magazine?