« This Blog is Solar-Powered • The Rants • Bill Maher is NOT Our Hero »
Ultra-Secure Password Policies: Not Very Secure
2006.05.08 (Mon) 20:22
Allow us to bitch about something on which we're sure we aren't alone. If your job involves computers, chances are you've run into increasingly restrictive password rules over the past few years; and if you work in a corporate environment, chances are that those increasingly restrictive rules are in place for five to ten (or more) different passwords that expire every 14, 30, 60, or 90 days. Here's the problem, as we see it — the more finicky those password rules get, the less secure the passwords actually become.
Let's follow this through with an example. Let's posit that Tom's system login password used to be asshat (sorry, you industrious hackers out there, this is just for argument's sake). Quite frankly, assuming Tom is smart enough that asshat isn't something that a would-be hacker would guess, this is secure enough for his laptop (or for his access to mundane internal company systems that, let's face it, even he would prefer not to use if given the choice). A few years ago, his company's policy changed from never having to change your password to having to change it monthly. Originally, the change could be as minimal as Tom decided; so, for example, using a keyword along with the number of the month was perfectly okay — for January, the password could be asshat01, for February asshat02, and so on. Soon after, the need to include symbols was added. Okay, a rotating list of asshat=01 through asshat=12 still isn't so difficult to keep track of. However, the regulations and restrictions just kept on coming: quickly, the ever-popular "can't repeat a certain number of characters from passwords used over the last year" rule showed up. Ouch — now the keywords had to change monthly, and change drastically. Well, Tom still had at least twelve easily memorable keywords to base his passwords on, if he delved into "l33t speak" — d00d=pwned, l33t!w00t, and so forth. It wasn't as easy to remember, but there was still the possibility of coming up with twelve basic passwords to repeat each year. But before that year was even up, the dreaded "can't ever repeat a certain number of characters from any previous passwords" rule was implemented, coupled with the "can't just mix around the order of characters" rule.
Well, fuck. Now what?
Now, every thirty days, Tom must come up with a new and totally unique and original system login password, which includes numbers, letters and symbols, and which differs almost entirely from any password he's ever used ever before, ever, ever, ever. Just today, he spent ten minutes typing in possibilities one after the other, each of them rejected by the system, before he finally came up with a password that passed this high-security muster. The problem he faces now is as obvious as it is simple: he has no chance of actually remembering the password that he was essentially forced to select! Frankly, it's completely obscure, and it lacks any semblance of personal meaning to him. It might as well be — or, in fact, actually is — a random string of characters.
Now multiply this problem by the five to ten different passwords he needs to remember, all following this same stupid progression, and Tom ends up with a complete inability to remember any of his passwords. In order to maintain daily access to his systems, Tom has now resorted to writing the passwords down...which completely defeats the purpose of having a secure password to begin with, since his password is now easily accessible for people to read on a piece of paper, or in his cell phone's notepad application. In a gallingly piss-poor attempt to heighten security, Tom's employers have now created a simple and obvious security hole that could be used to "hack" into any of Tom's accounts — just find his password wherever he's written it down, and you're golden.
We know this must be a widespread problem, just based on the amount of bitching we've heard personally (and the number of password crib sheets we've seen people using). So which is more likely — that someone was going to guess that Tom's password was asshat every month, or that someone could read his password du jour (or semaine, or mois) on the piece of paper he lost at the deli last week?
Of course, the really obvious factor that has been completely overlooked by his company is that no one would be particularly interested in gaining access to Tom's laptop anyway. It's not like he's got state secrets on there, or Allison DuBois' lottery number picks. Who the fuck cares what simple technical detail Tom is patiently trying to explain to yet another idiot client in any given week? Even Tom would prefer not accessing that shit.
This kind of idiocy isn't even limited to employers. Just last month, Jeff logged in to his bank's website for the first time after a long absence, and was required to change his password in order to proceed. What does this fucking accomplish? Jeff's bank account was far safer when he knew exactly what password he was using, as opposed to having to leave himself little notes in his browser bookmarks reminding him of what the new password is — little notes that others can read and may possibly decipher. His original password was as natural to him as breathing; even a mutant telepath wouldn't have been able to extract it from Jeff's brain, because he didn't even need to think of it as his fingers flew over the keyboard. Now he has to stop and ponder what new password he came up with. Those damn telepaths are going to be all over his account any day now.
Seriously, big corporate mucky-mucks, and all the folks who mandate rules like these in order to ensure "maximum" security on our fucking laptops or our Internet PornoPass accounts: please understand that your efforts are having quite the opposite effect. Stop treating our PCs like the fucking WOPR at NORAD, and ease up on the password restrictions a tad. It's not helping security, and it's fucking pissing us off.
— • —
[ Filed under: % Business & the Economy % Computers & the Internet ]
TrackBack URL for this entry: http://www.twopercentco.com/rants/tpc-trkbk.cgi/321
Brian, 2006.05.08 (Mon) 22:06 [Link] »
The Two Percent Company, 2006.05.08 (Mon) 23:43 [Link] »
Blondin, 2006.05.09 (Tue) 09:23 [Link] »
Naked Ape, 2006.05.09 (Tue) 10:40 [Link] »
glintir, 2006.05.09 (Tue) 13:50 [Link] »
Naked Ape, 2006.05.09 (Tue) 16:43 [Link] »
Pool Guy, 2006.05.09 (Tue) 19:55 [Link] »
Pool Guy, 2006.05.09 (Tue) 20:04 [Link] »
Plonka, 2006.05.17 (Wed) 21:45 [Link] »
Jason Spicer, 2006.06.03 (Sat) 02:26 [Link] »
— • —
— • —
Enter your comment below