DIY

Strong passwords-realistic or burdensome?

You don't have to run a large IT shop to know that security is a major issue. However, when rules meant to protect data become too heavy a burden for users to maintain, rules have a tendency to fly out the window. Are your users applying the rules or ignoring them?

Hackers and information thieves grow more sophisticated everyday. That forces you, your company's main line of defense, to be more diligent. Passwords are a good example of this constant drive to protect your small company's data. Large organizations have the benefit of more sophisticated security measures and policies, but small businesses have to rely on smaller-scale options, such as strong user passwords.

Trying to stay one step ahead of thieves and mischief-makers, we add rule upon rule to the process of generating passwords. Each rule makes sense, but they can become a burden to your users, who will take shortcuts -- so do all those rules help or hinder the process? In theory, the rules are good. In practice, they can become impractical.

You're probably already familiar with the general guidelines for creating and using passwords, which originated with the Department of Defense (DOD Password Management Guideline):

  1. Use a unique password for every account that requires one.
  2. Memorize your passwords; don't write them down.
  3. Passwords should be at least six characters long (more is better).
  4. Replace all passwords regularly.
  5. Passwords should contain a mixture or characters: upper and lower case letters, numerals, and other special characters.

Again, in theory, there's a good reason for each rule, but you might have a hard time enforcing them. User resistance in a small shop can be especially frustrating due to the lack of standardized policies. Right or wrong, users in a small shop are more apt to think who really cares...who's going to know? First, the atmosphere is just less formal in smaller shops. It's much easier to bend the rules. Second, small shops don't have the personnel to enforce policies. Third, training is often hit or miss and users might not even be aware that you have a password policy. Users in general aren't being malicious by bypassing your rules, they're just trying to get their work done, just like you.

Where does that leave you? Well... mostly uninformed as to whether your users are following password security policy. To find out, you'll have to get inside your users' heads. Their reasons might be legitimate:

  • It's difficult to memorize several patterns of numerous characters that mean absolutely nothing.
  • Just about the time users are comfortable with all those different, meaningless patterns, you change all of them and they have to start all over again.
  • If they forget a password, which is easy to do, the interface is likely to lock them out. This happens when they enter the wrong password a few times. As a security measure, most systems lock users out after a few incorrect attempts to sign on. That means they have to wait for you to reset their account -- it wastes their time and annoys you.

Too bad, you say? Maybe, but that sentiment alone won't keep your users from cheating.

Here's my challenge to you: Over the next few days, visit each user and ask to look under their mouse pads and keyboards. I predict you'll find a few lists of passwords if your company changes passwords on a regular basis. Be sure to turn over the pads and keyboards because the smart ones will tape their lists to the bottoms. If you don't find a list under or taped to the mouse pad or keyboard, ask each user where he or she keeps their list. They'll pull them out of their top desk drawers and file cabinets and point to their bulletin boards.

Of course, you must reassure them that they're not in trouble and that they're actually helping you. In a small shop, this really shouldn't be too hard because of the friendly and casual atmosphere, right?

What it all boils down to is this: If rules become too hard to follow, users ignore them. Learning how your users mind your security policies is just the first step. How you resolve the problem is up to you. Just don't make the mistake of thinking all is well -- because it probably isn't. In a small shop, with fewer stop gaps and fewer resources, you can't afford to ignore even the smallest potential for trouble.

About

Susan Sales Harkins is an IT consultant, specializing in desktop solutions. Previously, she was editor in chief for The Cobb Group, the world's largest publisher of technical journals.

16 comments
Deadly Ernest
Deadly Ernest

everyone have a new log in password that was six to twelve characters with minimums of one upper case, one lower case, one numeral, and no real words or swear words. To be changed each month. Two months later I went to the computer centre and broke 85% of the passwords with a few variants of Fo0k0ffU10 - the last two digits being the month indicator for the month they were in as everyone changed on the last day or first working day of the month. And yes, it was a military establishment. I also broke half the real complex passwords in his area simply by looking for a weird word written down near where his staff worked. that got my total up to 92% within half an hour on a base of just over seven hundred people. That demonstration sent him crazy, but got a minute from the base commander to change the policy to a less complex annual one for general log in instead of monthly, while classified data areas got a more stringent password policy.

Deadly Ernest
Deadly Ernest

if you have one really strong password and use it all the time, as soon as someone breaks it at a weak site, they got you. I've several passwords of varying strength which I sue at different levels of sites. Boards like this have a totally different style password to my bank accounts. Whatever you use should be capable of being easy to remember or to encrypt somewhere that you keep it. Once person I know of uses eight character passwords that they keep listed in their personal phone book with some encryption she uses. It looks like a name and phone number but identifies the site and password to her. That way she has it if she forgets it.

A.V.B.
A.V.B.

Length vs Complexity... I would rather see users have an easy to remember password that is long 10+ or 12+ characters than something cryptic that they will write down cause they can't remember it. I have removed many passwords taped to the bottom of keyboards. Something like a jumbled phrase with a few special characters added in is easy to remember but long enough to make it hard to crack (without a device).

yxjqlpsc
yxjqlpsc

Diceware is a free & open system for creating pass phrases with proveable security quickly and easily, by rolling dice. Diceware pass phrases are easy to remember, and except for broken services where password lengths are limited to just a few keystrokes, the system provides a complete solution. Two words from diceware are more than adequate for most LAN user logins, three for most admin logins, use more for cryptographic security where applicable. http://diceware.com

OldER Mycroft
OldER Mycroft

My personal practice is to employ the use of descriptive passwords with a twist. ALL my passwords are FULL postal addresses of companies I have worked for together with portions of direct line telephone numbers and aspects of the current salary at that time. Since companies move premises, change telephone numbers, go out of business, buildings are demolished, very few ever knew my salary (those that did are all dead now [natural causes!] - I would defy anyone to fathom any of my passwords. The shortest is 24 characters and is spelled in native Norwegian, including accents on specific letters. My first logon password was in 1975. Since then I've never forgotten ANY of them. [i]Of course, if you've sat in the same job for 35 years then you're a bit snookered.[/i] :p

mikifinaz1
mikifinaz1

Monitor passwords (as well as office spaces) and will jamb up users that don't follow the rules.

CodeCurmudgeon
CodeCurmudgeon

Of the DOD standards listed above, I would only consider the first burdensome - A different password for every password protected system makes it too easy to forget which password belongs to which, particularly once you get beyond a few, not to mention the problem of just plain forgetting the lesser used ones. On the other hand, the shortest password I've used lately is eight characters long, and that is only because the system in question only allows eight. Twelve to sixteen characters is more usual. I've been using the "initials of (usually) two phrases including punctuation + a number" method. Now, I do have to admit that using initials does skew the distribution away from random, and might make guessing a password a tad easier, but I've been carrying around a fair quantity of verse around in my head for a LONG time, some of it since I was three, so I can consistently remember them. OTOH, if someone did manage to perceive what I'm basing my passwords on, it would be a lot easier for them to crack the next, so I do not recommend password sequences based on anything too well known, So if someone figures out that your password starts with OFwaih:HbTn. . . It would be too likely for people to recognize that your next one would likely start out with Tkc. . .

bulk
bulk

I've worked in Zurich for the last 10 years with big banks and insurance companies. Out of self-defence I've developed a set of suggestions for users to manage the very onerous password policies imposed by the banks. Pick an easy to remember nonsense 3 char string, which will never change. Tack any of /*- or + on the front. These characters are always available on the numeric block on any language keyboard. Using these helps reduce lockouts because the shift key is on or the no-user keyboard mapping is wrong. Finally tack numerics for YY and MM on the end. Change the YY MM bit each password change time. Move the elements of the password around to suit. This scheme yields a highly secure 8-char password that is easy to remember and easy to change. RS

Deadly Ernest
Deadly Ernest

I often suggest to people to use a phrase they know well, but with a few character changes - some examples being: Oh can you see by dawn's == 0canUCbydawn is a fairly good twelve character password that few US citizens would forget. Or Guy Fawke's Night == gUYforksN1t for a UK citizen. I doubt anyone would use these examples, but they give you the idea. Even if they forget the exact wording of the password, knowing the phrase and the conversion method means they can soon work it out again. Although I haven't had anyone forget one of this style yet, touch wood. It would seem the trouble taken to convert it burns it into the brain.

ITSecurityGuy
ITSecurityGuy

on here already offering up information that reduces the strength of their passwords, unless they're lying. I sincerely hope that's the case. What's the sense in using a 24 character or longer password in native Norwegian, then coming on here to tell everyone about it? None By doing so, anyone using a brute force method on your password now knows to eliminate anything shorter than 24 characters and not using the Norwegian alphabet. Why would you want to advertise that?

ITSecurityGuy
ITSecurityGuy

Now, if you have been kind enough to provide clues in any of your other posts as to where you have worked, I could be retired, after buying a private island, by the end of the summer. An 8 character password has 52bit strength at best, if there is no requirement that any of the characters be numeric. By your rules, those who follow your suggestion have used exactly 4 numeric digits. Even such a a password with a minimum of 4 digits (but possibly 4, 5, 6, 7 or 8) has no better than 37bit strength. Knowing that they have likely used one of three special characters, a 3 letter string with at least one alpha character (as required by most policies) and the mmyy string, probably reduced that bit strength to about 16bit. If your post is true, and not a joke, you, sir, are the most foolish person I have ever heard to provide "security" advise to anyone. Not only have you given foolish advise to those individuals, many of them know there are probably many other such passwords based upon your suggestions throughout their firm. If there are any crooks among them, it will be very easy for them to guess other passwords rather quickly, and without tripping any lockouts, if done with patience. Now, you have offered up this knowledge to many, many very knowledgeable techies, who could very easily use this against those firms, to break in. You should find a new profession. This one is far beyond your intellectual capabilities.

Tony Hopkinson
Tony Hopkinson

four character password...... :p Saying that I find strong password policies counter productive, people tend to write them down.....

Deadly Ernest
Deadly Ernest

but stated one to get the idea across - I think a Klingon phrase would be a good password too, but I prefer to use Swahili or Navaho as they're more confusing.

ITSecurityGuy
ITSecurityGuy

It didn't occur to me until you mentioned it, but I seem to recall hearing something to that effect, when I saw "WindTalkers. However, apparently that changed in 1940, although it's doubtful the code talkers ever learned the written language, at least not prior to the war. http://www.omniglot.com/writing/navajo.htm

Deadly Ernest
Deadly Ernest

as my understanding is it doesn't have a written form but is a totally oral language.

ITSecurityGuy
ITSecurityGuy

and addressing it, when I said "unless they are lying". And I went on to say "I hope so".

Editor's Picks