The Password Policy Paradox
I thought I would write another quick post about passwords. I have already had two different conversations today about passwords. The idea of a password, what is right and wrong, how to implement them and what are the best policies to control them are not only interesting to me but a huge part of the world’s security. This is also a topic that is not going to be going away any time soon.
One of the hottest topics in administration is the Password Paradox. If policies are to slack, people will make short, easy to guess passwords. If policies are to strict, people will have long, complex passwords that they can’t remember and they will write them down and/or start using a pattern of just changing one character at a time. Any of these scenarios are not good.
This is where I would love your input. Let me know what kind of policies your place of work implements and what you do personally. How often do you change it? How many characters does it have to be? Do you use a unique password for every service or do you reuse one?
Now I’ll give my opinion.
First – I believe you do have to have certain restrictions. There should be a length requirement of at least 15 characters. I hate it when people say they can’t remember a password that long. Really? You can’t remember 15 characters that you type so many times every single day? It shouldn’t be that hard. But with a length requirement like that, you will stop almost all brute force attempts.
Second – I think your users need to be educated. There are a couple of specific things that everyone using a password should know. Don’t ever tell anyone or write down your password. This is two very good ways for security to be compromised. Users also need to realize what’s at stake. If someone with malicious intent gets a hold of a password, that’s game over. The hacker has won and they can have whatever they want. Every person in an organization needs to realize that their password is just as important as anything else and they need to hold onto it.
Everyone in the organization also needs to know that it’s not just fulfilling the policy requirements, you need to make a good password. ‘Password1!’ will satisfy most policy requirements but it is a horrible password. Policies are not in place to try to circumvent them, they are there to help you know what a good password should be made of.
Third – I absolutely loath people/organizations that restrict passwords. There is absolutely, positively no good reason as to why there should be a limit on character length. If I want to create a 50 character, a 100 character, a 250 character password, I should be able to. It’s text. With terabytes of storage in consumer computers now, we can afford to store a longer password. Do not ever limit yourself or your users like that.