Security: the fallacy of 'strong' passwords
Many companies take full advantage of the password expiration policies that are on offer in all versions of Windows Server. Of all the draconian control measures that are available to the modern administrator, this is the one that causes the most damage to network security and end-user experience.
Typically, such policies will require passwords of a minimum length with a mixutre of upper and lower case letters and also numbers. This is certainly good practice, but if the user does not understand how to choose a good password they will either a) forget it, or b) write it down. Because (a) makes them look stupid, they will often turn to (b) and hope that by placing the offending note under a pile of stuff in their drawer that it will be secure enough.
That however, is not the main problem. Choosing an initial password that is secure and memorable is a matter of training.
What typically makes the policy completely worthless is that the user is then required to choose a new password every 30 – 60 days. This is utter madness.
Secure passwords do not need to be changed
Ask yourself why you ask your users to choose a password each month. Is it because they have a habit of letting slip their secret word every few weeks? I doubt it.
If you are honest, you will admit that it is a security blanket that provides no benefit. What you might not realise is that it actually causes genuine harm to the security of your network.
How can it be less secure?
It is less secure because people are not readily able to remember complex sequences of letters and numbers at the drop of a hat. They become used to typing a password (due in part to muscle memory), and when they have to change it they will not remember by the next day what new password they chose if it is too complex.
Therefore, they will fall back to simple passwords.
Complex passwords can be simple
Just because you require complex passwords it does not mean that they will actually be complex. For example, most companies require a mixture of case and numbers to be present in a password.
This is a good example: AgXAgR30424
It is almost impossible to remember for the average person who just wants to get on with using their PC.
This is another example of a password that meets our requirements:
April2007
It is 9 letters long, contains a mixture of upper and lower case and even four numbers. It is completely insecure. I’d bet that if you have such a password policy on your network that you also have more than one or two users with such passwords.
My take on good passwords
I would like IT policy to require a small amount of user training before they choose their password. This would happen when they are first given access to the network.
They should choose a good password that they will keep until such a time that they wish to change it, either because they had to share it with someone (e.g. they were off sick and had important files locked away) or that they are bored with it. They should be allowed to decide when this happens.
A good password can often be formed by smashing two words together in a nonsensical way and appending a semi-meaningful number (for example, a year with some marginal signifcance to the user). An example might be, SummerGoose54. It has no real meaning, but is memorable to the person who set it. Furthermore, once they have entered it more than a couple of times it becomes ingrained. It takes more effort to un-learn it and replace it with a new password, however, and if they are ‘required’ to do so it will usually lead to them locking their account.
Finally, users must understand that they cannot use the same password elsewhere.
Finally
I hope I have at least made you think about the human aspect of security policy, and how your ‘ultra-secure’ approach might actually be reducing security.
