Allow us to bitch about something on which we're sure we aren't alone. If your job involves computers, chances are you've run into increasingly restrictive password rules over the past few years; and if you work in a corporate environment, chances are that those increasingly restrictive rules are in place for five to ten (or more) different passwords that expire every 14, 30, 60, or 90 days. Here's the problem, as we see it — the more finicky those password rules get, the less secure the passwords actually become.

Let's follow this through with an example. Let's posit that Tom's system login password used to be asshat (sorry, you industrious hackers out there, this is just for argument's sake). Quite frankly, assuming Tom is smart enough that asshat isn't something that a would-be hacker would guess, this is secure enough for his laptop (or for his access to mundane internal company systems that, let's face it, even he would prefer not to use if given the choice). A few years ago, his company's policy changed from never having to change your password to having to change it monthly. Originally, the change could be as minimal as Tom decided; so, for example, using a keyword along with the number of the month was perfectly okay — for January, the password could be asshat01, for February asshat02, and so on. Soon after, the need to include symbols was added. Okay, a rotating list of asshat=01 through asshat=12 still isn't so difficult to keep track of. However, the regulations and restrictions just kept on coming: quickly, the ever-popular "can't repeat a certain number of characters from passwords used over the last year" rule showed up. Ouch — now the keywords had to change monthly, and change drastically. Well, Tom still had at least twelve easily memorable keywords to base his passwords on, if he delved into "l33t speak" — d00d=pwned, l33t!w00t, and so forth. It wasn't as easy to remember, but there was still the possibility of coming up with twelve basic passwords to repeat each year. But before that year was even up, the dreaded "can't ever repeat a certain number of characters from any previous passwords" rule was implemented, coupled with the "can't just mix around the order of characters" rule.

Well, fuck. Now what?

Now, every thirty days, Tom must come up with a new and totally unique and original system login password, which includes numbers, letters and symbols, and which differs almost entirely from any password he's ever used ever before, ever, ever, ever. Just today, he spent ten minutes typing in possibilities one after the other, each of them rejected by the system, before he finally came up with a password that passed this high-security muster. The problem he faces now is as obvious as it is simple: he has no chance of actually remembering the password that he was essentially forced to select! Frankly, it's completely obscure, and it lacks any semblance of personal meaning to him. It might as well be — or, in fact, actually is — a random string of characters.

Now multiply this problem by the five to ten different passwords he needs to remember, all following this same stupid progression, and Tom ends up with a complete inability to remember any of his passwords. In order to maintain daily access to his systems, Tom has now resorted to writing the passwords down...which completely defeats the purpose of having a secure password to begin with, since his password is now easily accessible for people to read on a piece of paper, or in his cell phone's notepad application. In a gallingly piss-poor attempt to heighten security, Tom's employers have now created a simple and obvious security hole that could be used to "hack" into any of Tom's accounts — just find his password wherever he's written it down, and you're golden.

We know this must be a widespread problem, just based on the amount of bitching we've heard personally (and the number of password crib sheets we've seen people using). So which is more likely — that someone was going to guess that Tom's password was asshat every month, or that someone could read his password du jour (or semaine, or mois) on the piece of paper he lost at the deli last week?

Of course, the really obvious factor that has been completely overlooked by his company is that no one would be particularly interested in gaining access to Tom's laptop anyway. It's not like he's got state secrets on there, or Allison DuBois' lottery number picks. Who the fuck cares what simple technical detail Tom is patiently trying to explain to yet another idiot client in any given week? Even Tom would prefer not accessing that shit.

This kind of idiocy isn't even limited to employers. Just last month, Jeff logged in to his bank's website for the first time after a long absence, and was required to change his password in order to proceed. What does this fucking accomplish? Jeff's bank account was far safer when he knew exactly what password he was using, as opposed to having to leave himself little notes in his browser bookmarks reminding him of what the new password is — little notes that others can read and may possibly decipher. His original password was as natural to him as breathing; even a mutant telepath wouldn't have been able to extract it from Jeff's brain, because he didn't even need to think of it as his fingers flew over the keyboard. Now he has to stop and ponder what new password he came up with. Those damn telepaths are going to be all over his account any day now.

Seriously, big corporate mucky-mucks, and all the folks who mandate rules like these in order to ensure "maximum" security on our fucking laptops or our Internet PornoPass accounts: please understand that your efforts are having quite the opposite effect. Stop treating our PCs like the fucking WOPR at NORAD, and ease up on the password restrictions a tad. It's not helping security, and it's fucking pissing us off.

Seriously, big corporate mucky-mucks, and all the folks who mandate rules like these in order to ensure "maximum" security on our fucking laptops or our Internet PornoPass accounts: please understand that your efforts are having quite the opposite effect.

We know this. Guess what - we're in a place and time where because of some very well meaning but not well thought out legislation we must do things (and dorky passwords are the tip o' the iceberg my friend) that we know are not 'good'. It's that or fail an audit. Failing an audit - in this environment - is a sin somewhat akin to, but with worse consequences than, matricide.

Brian,

First off, just to make sure you know: the fact that you are aware of the uselessness and counterproductivity of this system means that you're not one of the people we are bitching about. We've witnessed plenty of corporate folks extolling the virtues of the very policies we are struggling with, and those are the ones who annoy us.

Does Sarbanes-Oxley (or some other legislation) actually mandate the use of "strong" passwords for all logins regardless of the application or the industry? In all seriousness, we aren't aware of anything like that. If such legislation does exist, then we'll gladly shift our annoyance from the corporate policy makers to the legislature (we're very experienced in being annoyed at legislators). But the other element of our gripe — requiring ten or more passwords to access all manner of corporate systems — seems to remain squarely on corporate shoulders.

As far as we are aware, Sarbanes-Oxley lays out the need for IT security, including personal workstations, but stops short of dictating how the security should specifically be handled. In point of fact (based on our admittedly limited knowledge of SOX compliance), it would seem that creating an environment in which the users find it necessary (if not essential) to write down their passwords (thereby creating a security breach) would do more to fail SOX compliance than to pass it.

Sure, some industries (like financial services) are required to have more rigid security, and some applications access sensitive data and as such need to be more secure. But we're talking about all systems being required to utilize this kind of hyper-exaggerated security. Hell, it's common practice for work-issued desktops that sit in the locked offices of entry-level workers to be required to have strong passwords just to turn off the screensavers! It's too much.

There are surely instances in which extra security is warranted, but if it's slathered on too thick, it just becomes a problem.

Another 'security measure' that I came across was the 'lock the user out after 3 unsuccessful attempts' rule. After being forced to make up a string of characters & numbers that I had no hope of remembering, I then found that if I took more than 3 attempts to enter my meaningless gibbrish password I was locked out for 24 hours.

What super-sensitive, vitally-important-to-national-security data is being protected by this ultra-secure password system? My local phone ebill.

I think it all comes down to the fact that the corporate dickheads who are empowered to make these discisions are the least capable of doing so. It is the way of the world in IT, where the Peter principle is a way of life.

This is not a new problem but it is definitely becoming more widespread. I have worked as a computer consultant for 15 years now, and in my personal experience, the 'tougher' the password rules, the less secure the computers actually are.

If I had a nickel for every password to such a system that I have found written on the monitor, or on the bottom of the keyboard or mouse I could retire right now.

If the real solution to this problem is buying more cool stuff, then I hope the price of biometric systems starts dropping real soon. Once these fingerprint or cornea readers start getting as cheap as mice, the beancounters might go for it.

Of course if the same dickheads are still in charge of access policies, we'll all have to change our fingerprints and corneas once a month.

Cheers,

Naked Ape

Ape, the Peter Principle is dead. The Peter Principle says the guy who's in charge once knew the job you're in now. He's incapable of doing his job, but he can do yours.

Nope, now it's the Dilbert Principle. The incompetent people with good hair and big smiles are promoted directly to management. They have no clue what IT does or why or how. AND are too dim to ask people who do know and follow their recommendations. Or too arrogant.

Instead we get pointless policies, random meetings about nothing much, and a generally pissed off under appreciated workforce.

Not that I'm bitter or anything.

Heck, I work for a privately owned company. The management is competent since there aren't stockholders.

Our password policy is.. oh wait, I don't think we have one.

glintir,

you are, of course correct.

I blame the proliferation of jackasses with MBAs. Most of these people that I have met with this designation have not in fact been Masters of Business Administration but more often they appear to be Masters of Bugger All.

Not that I am bitter.

Cheers,

Naked Ape

Naked Ape and glintir,

You're both correct, but where I work we seem to have bred a kind of hybrid manager. I know for a fact that our top IT manager has been in the trenches, but since rising to his current position he seems to have forgotten that logic is a very, very important factor in all things IT (OK, all good things IT).

I hesitate to guess at the reason for this. Is the air that rarified up there? Do they feed the managers above a certain level some logic-withering version of soylent green? Is it the inevitable conclusion to the absence of Calvin and Hobbes?

I also suspect this concept has nothing to do with IT itself, but is so widespread as to be breathtaking.

P.S. - Our policy is every sixty days, using CAPS, numbers and symbols. Some systems accept long passwords, some limit it to 8 chars.

Pool Guy

P.P.S. - And yes I have to write them down somewhere to remember them all (4-6 systems).

Not that I'm bitter, either.

Pool Guy

I just posted a blogg over at www.whitepage.com.au that concerns how people make it into management these days. Some of you might find it interesting.

In short, I believe it's the "certified" training, as opposed to work place training. It all revolves around management theory. Theory is all very well and good, but there's no prac exam. There's your problem. Not all theories fit all workplaces and some people just can't adapt...

Back to the issue at hand. 2%, I believe that it is actually illegal to write your password down. Not sure so I'll check that.

We have a security policy that incorporates "questions", let me explain. If I should forget my password, which is all to easyto do these days, I can go to the internal web, go to the security policy page, hit the change password button, answer some personal questions that I typed in 2 years ago so the system knows it's me, and it will let me change my password for EVERYTHNG. Oh, the helpdesk refuse to do it over the phone now because the boffins implemented this.

How good's that? Well, not very... Firstly, how am I supposed to hit the internal web if I can't remember my password to log into it? Big sticking point there. Secondly, the security policyy says I'm not allowed to use anybody elses logon except my own. Well I can't log in, so what other option is left to me?

When we ring the helpdesk, guess what they tell us to do? Yep, use soemone elses logon. Sigh... At that point, I tend to point out the policy and tell them I like reading and have a new book. Thanks very much. When management ask why I'm doing nothing, I point out their security policy, explain that no jury in the world would convict me because I'm only doing as I've been told by my employer, and go back to reading. Pretty soon I find that my password has been reset and I can now log in.

I think things have probably gone a bit far when obstinance is the only way you can get your password reset...

I agree that these password policies are self-defeating, but I believe they are generally put in place owing to the fact that an 8-character password with mixed case, numbers, and special characters can be cracked with brute force algorithms in a relatively short time. Of course, this doesn't seem to take into account the layer of protection provided by simple anonymity (why would anybody try to hack MY account?), but basically, it's setting policy to prevent worst-case scenarios. Kind of like building bungalows in Seattle to withstand Category 5 hurricanes.

A more sensible approach would be to require longer passwords than current technology can quickly crack, but allow the user to choose whatever they want. In any case, the real solution, according to some security-savvy folks at my company will include smartcard and/or biometric password extensions. And that's not just a question of equipment cost, as there will be some behavioral resistance involved.

-Jason-