Forced Password Change and set rules flawed?

Daithi McGee

Hi just thought I would throw this out there to you guys and gals as I am in the middle of a consultation with a company over IT security.

I am of the opinion that forced password changes, say every 30 days, that must meet a set requirement of something like one capital letter, numbers and a symbol etc etc are inherently flawed as the average user in a large company will be forced into a standardised routine. They will by the nature of the system use a system that will enable them to remember their new chosen password for example Month Year Symbol. Mar2009! to Apr2009! etc

Using a system that relies on no matching characters in the last password to the new one leads to passwords being noted somewhere which is another flaw in itself. The average user cannot be creative by the nature of the system and if they are you inevitably get a call from someone saying "I forgot me password"

Is it a better system to educate an employee of the merits of a unique and well thought out password than the system mentioned above?

Just wondering.

gnxx

I would agree. I suspect that the the advice to change passwords stems from organisations where passwords are shared with other users.

Using a well designed password with a mixture of numbers, caps etc for years is perfectly reasonable when coupled with other security measures.

If you have a well-protected network coupled with a good security policy, there should be no reason to change passwords frequently.

IH77

Agree that is a flawed method. I work for an organisation that makes you change the password approx every 60 days to a nine letter password of complete nonsense. Eg. roh-paz-gim.

Yes, eventually you remember it but not before you need to write it down somewhere for the first few days/weeks.

I agree better to educate the employee how to create a (satisfactory) password only they would remember with no risk of them needing to write it down.

AARRRGH

I also think the current system is flawed. I have no problem with the user being forced to use a non-dictionary word, a capital letter, a number, etc., but forcing users to change their password every 30 days or so just results in password1, password2, password3...

However I do think users should be forced to change their password every now and then, just in case.

Daithi McGee

My thinking exactly, To all of the above posts.

Thanks guys.

_CreeD_

The problem isn't the idea of changing them regularly and adding complexity requirements, it's with the fact that users will do everything they can to avoid this and in the end compromise your security even worse than if you kept it simple. Yup we have to keep usability in mind when designing secure systems, after all if you can't use it what's the point, but the attitude of 99.9% of users out there is just ridiculous. Somehow their system will be magically secure if they use predictable systems to generate their passwords, or leave it as a sticky on their desk (I've had a few Sales guys place laminated stickies on their laptops....My boss wouldn't let me keep the laptops and send them an etcha-sketch though). Computer use and securing it at a basic level with a password is a basic work skill now, if people can't do it they don't need to be in that job.
It'd be like having a discussion about how locking the office door after you is too much of an inconvenience and sometimes users bump into it because they forgot it was locked, or they couldn't remember how to put the key in....hell where is the key again?...ah there pinned to the door with a bright orange ribbon in case we forgot...

Okay rant off , just bothers me that simple username/password systems are treated as unfair and worth of bypassing (and how that is let go by management at most companies).

Unfortunately a policy that requires frequent password changes will result in client laziness to remember them, a security vulnerability too (like sticky notes with passwords on computer screens or hidden inside an unlocked top drawer).

There are software and hardware solutions to remembering gibberish passwords that might be worth investigating, and would allow for a frequent and secure change of passwords, some of them freeware like Password Safe? See PC World Review at http://www.pcworld.com/downloads/file/fid,23779-order,4/description.html

If you have a few bucks, there are two factor security methods of access control and authentication that are simple for clients to use, like a biometric finger swipe used in conjunction with a smart card, neither of which would require an employee to remember a gibberish password.

The best security lies with the administrator hardening his site, rather than delegating security to a diverse set of clients with varying knowledge and motivation?

Screaming Monkey

an interesting bit of research by microsoft on password habits and some science to the myths and ideas - "A LargeScale Study of Web Password Habits"
http://research.microsoft.com/apps/pubs/?id=74164

reminds me of the story in a financial institution the Windows Domain admin password was split into two, so one sysadmin knew the first 10chars and the other sysadmin knew the second 10chars, todo any work they had to be together and it changed every 30days. Completely insane, but it was secure and auditors passed it.

We run passwd crackers on our unix/windows user db, anybody outside the policy gets an email. As for windows if its less than 14chars and you have access to the Windows SAM, then it can be cracked in 2mins.

SM

mick.fr

The system is not flawed, the user is

Biometric authentication and swipe cards systems are gone very cheap nowadays, might be worth a look.