My Wordspace

A dumpster full of various musings over life, God, scripture, and any random thought that may fly by meanwhile. Comments welcome.

Password Maintenance Woes

Posted by Iszi on February 12, 2007

I’ve just got to vent this right now.

My company has got to have quite probably the STUPIDEST password maintenance rules and policies in the world! Not only are there probably a dozen different systems that you might have a password in, but each one of them has their own specifications to be followed.

For example, differences may be:

  • Length requirements.
  • Dictionary exclusions
  • Allowed characters
  • Required characters
  • Expiration schedules
  • Reuse schedules
  • Change frequency

So, if I would want to have one password for all systems (which is a general security no-no of course, and even against written policy for some systems) or even a few systems, I would have to first make sure that it meets the length and character requirements of the system that demands the most complex password, then make sure that it doesn’t fall under any dictionary exclusions in another system (which has been known to kick passwords out for words of as few as three letters), and then make sure it isn’t excluded by the reuse policy in any of the others! Oh, and if I change a password in one system but it doesn’t jibe with another, I might have to wait a whole day to update the first one again!

Yeah, and by the way: You’ve got to do this every month, or 60 days, or 90 days, or whenever depending on which system you’re in! Sound confusing? Well it is! Of course, on the technical end, it’s supposed to be confusing – it is a security matter after all. But, on the human end the extreme complexity in itself can become a security risk. People will naturally want to simplify parts of their daily life which are complex. And the more complex, the greater the desire to simplify.

For example, let’s say you want a person to change their password once a month. Consider this a conversation between user and their computer. User is italicized, computer is bolded:

Okay password change today, no big deal. We can handle this. Just breathe in, breathe out. Concentrate. Yeah, I’ve got it!

Good job. One problem. The password has to be longer than that! Oh, really? Hmm, let me think. Okay, I’ll add another word or throw some prefixes/suffixes on there, how about that?

Great, but… What? You need more character types. *sigh* Fine. I’ll throw in a number and a special character here and there. Happy?

Almost. What now? Well, you’ve got some words in there. Isn’t that what a password is? No, I mean *real* words. You know, stuff I could look up in a dictionary? We can’t allow that. Oh my God. Okay, how about I substitute some l337 5p34k in for some of this? Is that good enough?

I think so, let me check… Oh, no no no no! We can’t have this! What the bloody hell now?!?! Well you see, you used this password last year one time when you came up for renewal. Remember, (insert number) passwords ago? What the F&$K?!?!

Okay, that does it. I’ve got to be able to remember this thing somehow! I know: I’ll use my son’s name, the nickname we use for his soccer team – I know *that* can’t be in the dictionary – a number sign, and his jersey number! How about that? Well, let me see. Wow, that’s PLENTY long enough, you’ve got all the character types, no dictionary matches, and I don’t think you’ve ever used this before. It looks like a great password! No one will ever guess it, superb job!

Finally, thanks! Now let me update this other system that I use in the same program. Oh, wait. This one doesn’t like that password. Some of the characters you used aren’t recognized. Well $#%&! Fine, how about I change this bit? Is that good?

Yeah, that’s fine. Okay, thank you! Now let me go back and make that other one the same, so I don’t forget…

Woah, wait. You want to do what? I don’t want to forget these passwords, so let me change the first one that I made to match the other one! Well, I don’t have a problem with you doing that… just not now. See, you just changed your password a few minutes ago and I can’t let you change it again now until tomorrow.

Some computers just deserve to be shot.

Anyway, my key point is here. See what password the user ended up going with? Believe it or not, this accounts for the way probably 75% of users end up making their passwords. When I was doing computer migrations – where we needed to know the user’s password – I saw this all the time. Kids’ names, jersey numbers, pet’s names, vacation plans. Anything that will be easy for them to remember, all common-knowledge stuff for anyone who might know the smallest bit about these people. Or worse, they end up writing their password down somewhere near (or attached to) their computer so they won’t forget it! (Yes, I have seen this done.)

They choose the simplest way to deal with the most complex system, thereby nullifying any security benefits that are supposedly gained by making the system so complex! And for those who don’t do this? Well, I used to wonder why people called in so often with forgotten passwords. I guess I have my answer.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: