However, to get a W3C-compliant label, it is mandatory for the manufacturers to follow the recommendations. W3C-compliant label is an indication that the website owner had implemented the very best among the designs for his site. It shows the commitment of the owner in having a website conforming to the web standards. The web designing aspect of W3C standard follows the same recommendation since it is the basic layout of any web envision. In a Wiki style - a web designing is an intent to create a website that presents content to the web end user in the form of web pages once requested. This is the best definition of web design I have ever found on internet. I even don’t mind if it’s copied all across the web platform since it is the standard statement and aptly follows the standards led by W3C.

Acceptance of XHTML, XML, CSS and DHTML by W3C has really made web today the most dynamic deliverable media today. Web designers take it as a way of enhancing websites with all the innovation and trendy techniques. Now, various web designing companies are getting encouraged by the standards led by W3C and with passage of time the web designs always get into some or other new web creation parameters meeting all the standards and guidelines of W3C. It not only benefits them but it also avoids any kind of web fragmentation or other anti-web issues. W3C is an open forum and in addition to maintaining the standards, also involves itself in activities ranging from education, outreach, and developing software. It was founded by Sir Tim Berners-Lee, who also invented the World Wide Web, in October 1994 at the laboratory of Massachusetts Institute of Technology (MIT).

It has many regional offices around the world and is administered jointly by the CSAIL (MIT Computer Science and Artificial Intelligence Laboratory) ERCIM (European Research Consortium for Informatics and Mathematics) and Keio University. CSAIL is in the USA, ERCIM in France and Keio University is located in Japan. The regional offices, too, play a major role. They are instrumental in promoting W3C technologies around the world in different local languages. W3C are monetarily supported by research grants, public and private funding, membership fees and support programs. The members do not include the public, but only organizations (both profit and non-profit), universities, businesses and government entities.

The membership is reviewed and approved by the W3C, which though having guidelines do not rely on them solely for the final process of selection. The membership cost depends on the type and also the location (country) of the company. W3C is also working to make the web accessible to everyone. It wants all the people in the world to reap the benefits of the web world by- communicating freely, doing business with each other, sharing the knowledge and improving their lives. . Hence, in recent years, W3C has been investing more in the expansion of the web irrespective of the language, location and culture. A program called ‘Mobile Web Initiative’ plans to make the web accessible from any device be it mobiles, interactive televisions, or other electronic appliances. In a nutshell, W3C has the vision to uphold the long-term growth of the web world with consensus on the web technologies.

Over the course of the next few days I will be presenting a series of articles dealing with the many and varied aspects, concerns, issues, strategies, policies, threats and countermeasures that constitute password security.

Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.

Honesty - Being True to Yourself

If you are not going to assess your current password security status honestly then do not even bother. You will probably just waste a whole pile of blood sweat and tears on useless ineffective time consuming misdirected and most definitely misguided pies in the sky.

The type of honesty that I refer to is the kind of honesty that is so necessary to a realistic and accurate assessment of your current password security status. Assess yourself honestly. You do not have to let anyone else know the details of your dirty laundry.

So please, do yourself a favor and do this right. For, only after appraising your current password security status will you be able to identify areas of weakness that need prompt attention.

Hard Password Copies (Paper)

Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk. The locks on most desks are merely a trivial inconvenience to those with a little know how.

An envelope opener and a matter of five to ten seconds tops is usually all that it takes to open the majority of desk drawers. Failing to lockup your desk compounds the crime. It may save damage to your desks lock but will do nothing to save your password hard copy.

Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor. It is a very bad idea. Leaving a hard copy of your logon and password details in open public view is worse. Then again, the practice of writing your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor is probably the worst of all.

Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive issues facing security on an ongoing basis. It is no secret that over the years, post-it-notes along with other password hard copies have provided a profitable source of information to would be password attackers.

Recommended countermeasures concerning practices relating to hard copies of passwords and other authentication credentials should not be necessary since the best advice of all is that you should never maintain a hard copy of authentication details period.

Electronic, Magnetic and Optical Password Copies

While not as risky as maintaining hard copies of your authentication details considerable care needs to be taken when storing electronic, magnetic or optical copies of this information. You should always encrypt authentication data when storing it in an electronic, magnetic or optical format.

As with paper hard copies, any physical copy of any data is liable to additional risk of theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC to big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together.

Recommendations to help protect the electronic, magnetic and optical physical copies of your data will always begin with physical security measures such as using data vaults, lock and key and off-site storage etc. You should also only store this information in an encrypted format to increase your data protection strategies. Password locking files is also important.

Security-In-Depth

Using a security-in-depth strategy entails the implementation of more than one mechanism in your defenses. You can build defenses based around password authentication to open a channel after which you use additional passwords to gain additional access privileges.

Here is an example to illustrate the security-in-depth approach using password authentication systems. You log onto the network using one password, which in association with your logon user name will, once authenticated, allow you access to basic network assets, services and resources.

If some time later you need access to a resource requiring a higher privilege level, such as a database, you may need to supply another user name with a different password. In this way, we now have a two-tiered hierarchy of access privileges to specific resources. Still password-based but immeasurably more secure than just a one password accesses all system provides.

Now suppose you wish to gain access to sensitive information held within that database. In which case, you will need to supply another different user name and password. A third layer of password protection access has now taken place.

Your level of security has increased yet again and the best bit is that it is not going to cost you anything. Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.

A classic example of this would be your email account. Your operating system will supply the first password protected authentication level at logon. Your email service provider will require another password protected authentication when you wish to check your email.

WARNING: A word of caution however, most email password authentication processes occur unencrypted which is a very bad idea. Anybody with a “packet sniffer” utility can capture the traffic and view it in plain text at their leisure.

To overcome this you can configure more secure communications channels of use multifactor authentication systems, which I do recommend. They will be the topic of my next article.

Conclusions

NEVER disclose account information such as logon names and passwords. At all times and under all circumstances you must ensure that this type of information (authorization credentials) remains known only to your security, administration and support personal and then only on a need to know basis.

NEVER keep hard copies of passwords and other authentication details. It is a practice wrought with danger.

ALWAYS store data in an encrypted format

ALWAYS afford authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network

ALWAYS implement multiple layers of password-protected authentication. A security-in-depth approach is applicable to practically every system with a little careful planning.

Until next time when I will discuss multifactor authentication systems, enjoy!