We all know and love the password game. Every three months, we have to change it. We have to follow arcane rules set by the technological overlords of the IT department. And we all have a few tricks to work around those rules. So here is a crash course in password management, why it matters and why, yes, you really MUST change your password every 90 days.
Being on the front lines of IT, I see it every day; the tricks people use to get around password rules. We are all guilty. There are two methods I see most often. One involves physical security and the other involves defeating the spirit of the law.
Don’t Write It Down
First, on the physical side, users will write down their passwords. While not a bad idea in some ways, it’s what you do with that paper that counts. Leaving it under your keyboard, or taped to the monitor, is not secure. The old PC mantra applies here: if it is not physically secure, it is not secure. The point of your password is to limit access. This is worse than hiding the key near your front door. This is the equivalent of locking your door and then leaving the key in the lock.
If you want to see the stories that scare your IT people, Google “password horror stories.” An often repeated story tells of the night staff logging onto various computers using the sticky-noted passwords to look at pornography and other sundry websites. At the least that can get a user fired, but it could be worse. What if you work in education or law enforcement? What if the material is illegal? What if critical data is copied or goes missing? Remember too, that these are only times when it was proven that it was not the user. In most organizations you alone are responsible for what happens under your user name. In some cases neglecting security protocols can be grounds for termination. Remember folks, lock your doors and take the key with you.
Make Passwords Complex, Not Simple
Second, users often dodge the rules by having insanely simple passwords that might technically meet the rules, but are equally worthless. P@ssword123! meets my client’s rules. It has a capital letter, a symbol, a number, is long enough, and it is different from the last two passwords. Every 90 days, the user swaps one or two parts. They might put the exclamation point at the beginning, or move the numbers around. But it is easy to guess. And I guarantee this password is already in the dictionaries used to crack passwords. Sorry friends, it’s neither clever, nor secure and is about as useful as the security chain on your front door. It looks tough, but takes no real effort to break.
Change Passwords Often
One frequent complaint from my users is the need to change passwords every ninety days (your policies may vary). They wonder if such measures are needed. There are some researchers who claim that, given a sufficiently complex password, that this is not even necessary. There’s the rub then. A sufficiently complex password is less likely to be remembered and even more likely to be written down. The password of Ur@vsb4d0ngth$, is a great password. But no one is likely to remember this. The other lingering problem with even a complex password is social engineering. The most likely way for someone to get your password is for you to give it them. There are a variety of ways to do this including phishing, phone calls from fake vendors etc.
Because people tend to use a password in more than one place, even if your actual network password is not compromised, someone gaining one of your passwords could leave you, and the network exposed. By making users change passwords on a regular basis, it minimizes the long term potential of a given point of failure. At the same time, if we ask users to change passwords too often, we get more passwords with simple one character deviations and many sticky notes.
A recent and rather scary development was noted in an article on tech website ArsTechnica. Essentially, hackers are able to not just steal passwords, but the encryption algorithm used to hide them. This allows for lists of actual passwords and hashes; the equivalent of giving out the master key to a set of locks. If most people use the same password along with a similar user name for most websites, even one compromised password can bring down a person’s entire identity. Frequently changing all your passwords (not just your work password) and using strong, non-human readable passwords becomes even more important for security.
These issues are actually tightly related. Users are swamped with the number of passwords they must keep and remember. Both problems are responses to overload. Both are, in a way, very logical (if flawed) responses. There are three parties constantly at battle the security wars: the bad guys, the administrators, and the users. I won’t dwell on the more nefarious of these as we all get that point. Hacker’s gonna hack right? I am depicting the user as an active participant in this battle, both for and against.
The user wants two things: they want security and they want it to be easy/convenient. These goals are at once contradictory, but not really unreasonable. The more restrictive and/or complex (and supposedly secure) we administrators make the system, the more our users chafe. Overly complex password requirements lead to only minor password changes, and to the infamous sticky notes. At the same time, we must strive for compliance with our policies.
How you actually set that happy medium is beyond the realm of a blog post. As I often note in this space, these are questions you should be asking your IT professionals. It’s not enough to ask “are my systems secure”, but you must also ask for details.
It’s good to ask the following questions:
– What kind of password rules are in place?
– How do you get users to follow the rules?
o Fighting Hackers: Everything You’ve Been Told About Passwords Is Wrong (Wired)
o How many seconds would it take to break your password? (IT Nation)