TechRepublic members generally agree on the need for a security policy to govern corporate passwords. But many think that password policies can actually create problems if they’re too stringent. IT professionals responding to our recent article on creating password policies questioned the effectiveness of overly complex policies and the requirement to change passwords frequently.

A number of members said that stringent policies could introduce unintended vulnerabilities by forcing users into risky behaviors, such as writing down passwords and keeping them near their workstations.

The debate also calls into question the soundness of relying on passwords as the primary security device. Passwords, members suggested, aren’t the best means of securing network data. But because the password system is the easiest and most widely accepted measure in place, organizations must take steps to make it work better.

How safe are passwords?
Although the recommendation is for users to create complex passwords that are difficult to crack, many net admins feel that this complexity can present problems.

Network systems engineer Jim Willeke said that people typically write down complicated passwords, creating a new security risk. He also noted that complex passwords can cost time and money when users forget them. A forgotten password results in a call to the help desk and lost productivity as the user takes the time to have the password reset and to create a new one.

“More concentration should be [focused] on training people about security than spending valuable time writing password policies that are beyond the reasonable expectations of humans,” Willeke said.

Other members pointed out problems with requiring users to change their passwords often.

Mike Emeigh said, “Frequent password changes almost force the users to write them down somewhere so that they don’t forget the password this month, and that’s much more of a risk to security.”

And Christie Bradley argued that there’s little evidence to suggest that changing passwords periodically is even an effective security practice. She said that methods used to incrementally change passwords to make them easier to remember are also flawed and recommended the enforcement of complex passwords.

“It is far more effective to enforce the use of strong passwords, to continue running programs like Crack, and to make users change passwords when they are broken.”

One member questioned the value of passwords altogether, arguing that using them as the primary security measure results in weak security. Member b4real agreed.

“The direction we are headed is to converge our authentication strategies (passwords included) to secure authentication devices—things like Smart Cards and SecureIDs—used to authenticate for all IT resources.”

Member V. Katalov of ElcomSoft said that passwords might be weaker than many people realize. ElcomSoft, a Moscow-based software development company, writes password recovery programs.

“In most cases, social engineering and brute force are not even needed,” Katalov said.

Password length and complexity are ineffective security methods because “any password can be recovered (or removed or replaced) instantly” via programs such as those his company develops. He said customers are usually surprised to discover how vulnerable their passwords are.

Admins have obvious concerns about how password security is managed and the practicality of relying on passwords and password policies as the primary means of securing their networks. Until organizations turn to a practical alternative, however, member Dominicon offered this trick to help users create good passwords that are easy to remember:

  • Start with a familiar phrase you can remember, for example, “The quick brown fox jumped over the lazy dog.”
  • Use the first letter of each word to create the password and change some of the capitalization: tQbfjotLd.
  • Add numbers or punctuation to make the word more complex: 20!tQbfjotLd!02. The numbers should be significant in some way so that you can remember them: graduation dates, anniversaries, birth dates, etc.

Dominicon also suggested using CD or book titles or family names for the letters that make up passwords. The advantage of Dominicon’s system is that it produces passwords that are difficult to crack but easy for users to remember. If an administrator avoids a password policy that dictates frequent changes, this could effectively eliminate the problem of users writing down information and keeping it near their workstations.

Password challenges
Most members seem to agree that reliance on passwords isn’t the best approach to security and that going too far with a password policy can actually exacerbate security risks. But until organizations move to better methods of securing network data, they can employ strategies similar to the one outlined by Dominicon for developing strong, easily remembered passwords. It’s not the ultimate solution, but it’s a viable step for improving current practices until organizations can adopt more robust security measures.

Other password pointers