Image source: AI-generated.
Original post date: July 31, 2024
Last updated: July 31, 2024
Does security need to be difficult to use? Does it have to add complications for developers and users? Let’s examine password management as an example.
I remember an organization where the IT department had a strict password policy: password expiry in 3 months, no password reuse from the 20 last passwords, no too similar passwords, minimal password length, etc. The result? Regular calls for password resets (especially when employees come back from vacations) and people finding a way to REUSE the same password by adding additional characters at the beginning and end. I’m not sure if there were passwords on post-its, but I very much think so.
Is having a strong password a good idea? Yes, it is. Is a regular password change a good idea? Yes, it is. However, the general user experience could have been better in the example above.
What could the IT department do instead? Learn the team to use passphrases instead. What about “three queens-playing-cricket-with-a-giraffe” (*)? It’s long to type but easy to remember. The IT can also implement multi-factor authentication with a physical key. There are different possibilities, too. All of them decrease the importance of password change and make the user’s experience less painful.
What is the link with the embedded? Quite many embedded systems have, at least in development, the same password for remote login. (I remember times when most devices used user: admin, password: admin, or similar.) This is not a safe solution for a production system. What should we do instead?
- Generate a default password for each serial number: This requires personalizing each device, probably in a separate flash partition. You can then print the initial password on the device label. The device uses that default password at startup and also after a factory reset.
- No default password; ask the user to set up a password when booting the device for the first time during device onboarding
- Use fleet management tools to manage passwords (in a corporate or industrial setup)
Those solutions are acceptable to users and offer a decent level of security.
During development, a system might use a different setup to avoid developer frustration when re-flashing devices.
In the end, is password management in embedded hard? Not necessarily. Do more than just implement a security policy. Make it functional and user-friendly.
(*) The leading image is AI-generated. Even AI didn’t manage to generate queens with a giraffe. After a number of failures, I went for cats instead. The image generation suggests that this password is unique 🙂