Pass the password

For the last time. Stop making me change my password

  • E-Mail
Pass the password
By  Ben Furfie Published  December 6, 2010

This is a message to CIOs. Stop making me change my password.

Seriously. The idea that changing a password regularly will somehow prevent someone from getting into the system is a fallacy. If anything, it's more likely someone will get in to it because of it. And here's why.

I'm lucky that I have at least five or six passwords that I regularly use, but for the average user, the chances are they will only have one or two. Chances are again, they'll be incredibly weak passwords - like the name of their partner, or their anniversary. You know, the type of passwords that are incredibly vulnerable to social engineering.

Make them try and remember more than that - which is what you're doing by making them change password every 30 days - and you can guarantee, they'll have to write them down somewhere.

In fact, here's some homework. After reading this, go around your company, but avoid your IT department: they aren't your usual worker and will be used to having lots of different passwords. Go to accounts, customer service, in fact, anywhere you will find people who didn't really use a computer before starting work.

Now look at their monitor - or if you're particularly daring, the top-draw of their desk. Oh, what's that? Their password!? Don't be so shocked.

Rather than punish them, reconsider the incredibly counterproductive policy of using Windows' Password Policy tool. It's useless at best, dangerous at worst.

Consider this. Maha down in accounts wants to set her password as something memorable, so she sets it as her pet cat's name fluffy. As time goes on, all she's done every time the system prompts her is change the password to a new one, is change it to fluffy1, fluffy2, fluffy3, fluffy4 and so on. Does that help protect your system from social engineering? No, of course it doesn't.

Even if you prevent them from being able use a password like that, the chances are that come password change day and the day after, your help desk is going to swamped with people who have locked themselves out of their system, or have forgotten their new password the next day. That's why so many of them write their passwords down on a sticky and either place it on their monitor, or in their top draw.

Now, if that's not more of a security risk than having one hard password and memorising it, then I don't know what is.

To recount:
• Forcing a user to change their password constantly - especially those that don't use computers much outside of work (i.e. people outside of the IT department) leads to one thing and one thing only. No, not security. It leads to poor passwords.

• Forcing a user to change their password doesn't prevent the ability to attack your system. If a hacker managed to obtain one of your users' passwords, do you really think they're going to sit around for 30 days before they do anything? No, of course they're not - and within 30 days, they'll have likely got all the data they'd want anyway.

• It compromises the user's own security. When you make a user change their password often, they're more likely to use the same password as their internet banking, online shopping, and government agency accounts. Once those are compromised, they are very difficult to change, and can lead to all sorts of problems for your colleague. So don't be selfish.

If you really need to implement a strict access policy - such as at government agencies or financial institutions - consider investing in some thumb scanner keyboards or facial recognition software.


Rant over.

2808 days ago
Jott Prince does not seem to be ready. seem to be not user friendly.

2815 days ago

The answer that users cannot remember passwords is an excuse. I have several passwords and I remember them all. Why, because they are important to me. What the user is really telling you is that password security is not important. Users are continually improving their skills. It is safe to say they learn 1 new thing every 3 months. Is that too much to ask?

2843 days ago

I agree, this is a huge problem & I know that many people do exactly what you've written about ie. fluffy1,2,3 etc.. as well as writing their passwords down.

There is one more thing to consider, companies often have more than 1 system that needs passwords so we are talking about this problem being several times larger.

I agree on all points. At the end of the day it's the IT department inconveniencing & hurting everyone just so they can claim they take precautions.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code