Recently I have spent time at a number of customer sites taking a look at how they their business processes integrate with their systems only to find some alarming trends! Things that may be seen as best practice really aren’t.
More and more often these days we are receiving requests to change passwords every 30 days, these requests are often brought on from a recommendation by an auditors or similar. Unfortunately people who recommend this couldn’t be more wrong in thinking that it is good security practice.
Common issues caused by frequently changing passwords
- Users can’t keep up with what their passwords are and have to keep getting them reset. A serious time stealer! And depending on how strict your password policy is can mean that users are not able to login for an extended period of time, this obviously having a negative impact on productivity.
- Changing passwords too frequently encourages people to use weak passwords because they can’t remember them and it keeps saying that they have used the password before. As a result users tend to set their passwords to something very simple, or the same as before with just a single character different.
- Shock and horror, users write their password down! This is the worst side effect of these forced password changes. Not only do they write them in their diaries, I have seen a few people put them on post it notes and stick them on the screen!
These few points alone should have you questioning weathers it’s such a good idea after all?
Ever thought of using a passphrase?
Some food for thought to make people think a little more about passwords and apply some common sense to the all too familiar issues of security…
Pass phrases are not at all a new idea, they just never caught on in the desktop user arena. This, in my opinion, is a travesty. I was using passphrases way back in my web hosting days and, in that arena, it was the norm. Pass phrases don’t have to be complicated. They can be very simple in fact. If you want your password to be your dog’s name and year of acquisition, for example, you may choose this as your password:
Instead of just the word, why not use the following:
“My dog is Rolph and he was born in 99”
That is a much better password and infinitely more secure than the first example. Having spaces in it alone increases its security many times over. Your password could also be a quote from a film you like or anything else that is personal and can be captured in a sentence. Believe it or not, you can have a password of up to 127 characters!
Other precautionary measures to take when changing a password
- It is also worth noting that password strength is just one part of your system’s security. It doesn’t matter how good a password is if even just one user leaves their machine logged on and unattended. Workstation locking is an essential part of your security and the best way to ensure machines are locked is to enforce screen saver passwords, so if a user leaves their PC and forgets to lock it, the machine will lock in due course. Choosing a setting is basically a balance between security and convenience.
- If a user sees or feels that someone may have seen their password, they should change it right away. Just ensure that a good passphrase is chosen so the account is kept secure.
- Lastly another shock and horror for me, where an application vendor has said that their app only works if the server is logged on. So many times I have seen companies who have a server which is logged in as an administrator and just left like that. This is far worse than any desktop password issue, as someone can just use the screen to do with whatever they please.
It is really important to apply common sense to security issues. Some auditors will make you jump through ridiculous hoops to comply with their whims. However, common sense must prevail and if you can explain your reasons for disagreeing, you will be surprised how happy they are to change the rules.
Essentially, users need to understand and take responsibility for the security of the whole system. Breeding this in the ethos of a business is the best way to ensure that things are as secure as they can reasonably be.