Throw Password Rules Under the Bus?

I ran across Tom Olzak’s post where he quotes from an SANS article by Daniel Wesemann, Password rules: Change them every 25 years. I disagree with both of them on a few points.

First, Olzak notes in his introductory paragraph that

Even the use of strong passwords is often regarded as either less secure—because users inevitably write them down—or a hindrance to productivity.

I’ll agree that using strong passwords takes a bit more time, but the greater hindrance is experienced by the attacker. Also, just because something is easy doesn’t mean it’s the right thing to do. If doing the right thing takes more effort than doing the easy thing, does that mean that you are not as productive? No!

Furthermore, the problem is not that strong passwords are used, but rather what users do with them: write them down and leave them under keyboards, on walls, etc. The strong password is NOT the problem, what the user does with the password is.

I’m sure Olzak and others would say that the strong password IS the problem, and the reason they wrote it down is because it’s complex and hard to remember. However, if users treat written-down passwords like they do cash and credit cards, those passwords would remain secure. If passwords are not secured, it’s because users don’t value them.

If businesses tied use and protection of strong passwords (and security in general) to a person’s performance review (there’s the cash again), behaviors would change for the better quite quickly. However, users follow management, and most management really doesn’t care about security, as management’s own security practices are remiss.

The SANS article also noted that

There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called “Phishing” and “Social Engineering” attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky (“Brute Force”)
(c) Obtain the encrypted/hashed password somehow, and crack it
(d) Leech the password off your computer with keylogger malware

Wesemann goes on to say that changing passwords every 90 days doesn’t make these situations less likely, and attackers will soon search for a simpler victim.

Second, I disagree that attackers will quickly look for an easier target after a couple days. Attacks are becoming more and more targeted, so attackers are more interested in passwords of specific accounts, not just the first password they can crack–hence the reason for the attack in the first place.

Third, if proper complexity is used, passwords CAN stand their ground until the 90 days are up. The problem is that most users don’t use long enough and/or  complex enough passwords. I do recognize that with constant technology advances, this is becoming a losing battle. However, until management provides the funds to add an additional factor to authentication, most systems will continue to rely only on passwords.

Fourth, in my experience, the two most prevalent ways for someone to get a password in the workplace are:

  1. Shoulder surfing
  2. Password sharing with a co-worker, who shares it with someone else

These problems are addressed by 30, 60, and 90-day password cycles, so forcing regular password changes are necessary.

The SANS article mentioned another benefit of regular password changes:

If someone has your password, and all they want is to read your email and remain undetected, they can do so forever, unless you eventually change your sign-in secret. Thus, regularly changing the password doesn’t help much against someone breaking in and making it off with your goods, but it DOES give you a chance to shake off any stalkers or snoopers you might have accessing your account.

However, Wesemann still doubts whether forcing password changes every 90 days is worth the trouble.

My conclusion is different. People simply need to face that the fact that the  world changed a long time ago, attackers are after them (really), and most of them have been too lucky too long (or they have already been compromised and don’t know it). Unfortunately, until management leads the way, the security posture of most companies and users will change slowly.

Finally, everyone should remember that auditors only audit practices that management put in place. If you don’t like 30-, 60-, or 90-day passwords, it’s time to go talk to management.


Read the SANS article.

I should note that Olzak’s main point was providing a way to create two-factor passphrases, not criticize the password change cycle. He rightly notes that the complexity of the method he wrote about would put it beyond the practice of most users, but it is an interesting approach. Read about it here.

As always, I’d be interested in whether you agree, disagree, or have another take on this.

See also:

Writing Passwords Down RIGHT

Quote of the Weak (Special Characters)



Filed under Security

2 responses to “Throw Password Rules Under the Bus?

  1. I’m with you, strong passwords are your first line of defense. Users make it much harder than it needs to be. You don’t need to use a string of random characters to make a complex password. Try a short phrase instead. Ihatecats!2010 is as strong a password as you could ask for and most users wouldn’t have to write it down to remember it.


    • ITaudit

      I agree. I think the problem with remembering complex passwords is that they are too complex. Many methods and tricks for creating good, strong passwords that are easy to remember exist. When you get too many passwords, it’s time to use a password safe.


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.