Your password will expire in 11 days. Change it now?


A nice passage from the middle of a long (and recommended) Boxes and Arrows post:

A good password is one that cannot be guessed. And there within lies the problem. What is difficult to guess is most likely difficult to remember. This problem is multiplied when you have many applications that require authentication, each with its own password policy that dictates password complexity and mandatory resetting. So while a hacker may not be able to guess your passwords, you most likely will not be able to remember them either. So what do you do? Do what everyone else does (but knows they shouldn’t) – write your passwords down on the small piece of paper in your desk drawer. Not exactly the most secure practice.

The problem here is that the security folks design their password policies in a theoretical world where they only consider computers and hackers. Make the passwords very strong. But the primary end users, the people who actually log in appropriately, are not considered. The ultimate result is systems that are less secure. People are people. Defining password policies without considering the complete human context in which they are applied results in lower security.

At work, I have to come up with a new strong password every month. Until they put in that system, I had an excellent, very strong password that had never been written down or told to anyone. Now, because I have to remember a new password and change it again every 30 days, I have a very simple formula for each password. It meets the rules for strength but only by the letter of the law and not its spirit: it’s pretty weak. If it wasn’t simple, I’d have to write it down.

Boxes and Arrows proposes that IT departments promote the use of password management programs, which is a sensible enough solution and one I’d support in a workplace setting. (I’d support it within IT departments too. How many firewall/router/wireless etc installs have you seen with admin settings that haven’t even been changed from the defaults?)

I think many us can get away with a much simpler solution: not changing passwords*. The stuff on my servers and websites is pretty tame stuff — no nuclear secrets there, no plans for world domination**, nothing that might reveal Bourne’s true identity. If someone hacks my stuff, it’ll be a plain old vandal, not someone who’ll snoop in time and time again to read and steal things with Top Secret stamps on them. If I’m hacked they’ll be the boring kind of hackers, the kind that are just out to break stuff and make a mess, and it’ll be obvious. Given that, what’s the point in preemptively changing passwords? If I don’t write it down and I don’t tell anyone, my strong password remains just as strong as it was when I created it.

Odds are low anyone will bother to get past a decently-administered firewall. A good firewall is like a good bike lock: it won’t keep out someone determined to get you (edit: or someone who really likes a challenge), but if they’re not after you personally, they’ll probably move on to an easier target.

This stuff makes me crazy. More complication is not always better.

* This assumes there are proper backups. Leaving passwords unchanged is a level of potential foolishness I can accept. Failing to back up adequately is foolishness on a totally different scale.

** Those stay safely in my head 🙂