ARGGGH!! I've been the lone voice in every IT department I've run into against the changing password issue for over 15 years! (Not so much the complex password issue). Like most logical people, having to change the password every month HURTS security far more than it helps. Only two methods are needed for security (assuming you don't go the "SecureID" route):

1) Limit the number of password attempts, before locking the account (this assumes you can pick your own user name and it's set to a resonable level, not 3, but like 10 to prevent too much load on the IT staff).

2) After a successful login, inform the user of the number of unsuccessful attempts and the time the user last logged in. Anyone NOT informing IT of potential unauthorized attempted access to their account would be immediately fired.

What is really galling is there are some great technological solutions emerging that companies refuse to impliment that make it unessary to remember any passwords at all or perhaps just one.

Assigning people arbitrary passwords is one thing, but no, if you let people choose their own passwords, it's not out of line to expect them to be able to remember something that they made up without having to write it down.

The problem is that people don't understand why security is important and are fundamentally lazy. They must be educated on the tangible benefits they receive from good security. Most users assume that security is simply something they must endure at the whim of management or IT and do not understand how it protects them as well as the company.

Hear, Hear!

I find that corporate IT departments are just great at giving lip-service to security, and doing lots of ineffectual security busy-work that harasses their users but keeps the security folks' visibility up. Unfortunately, they seem to be pretty clueless about the real security risks and how to deal with them.

The thing I like least about being in IT is that it is without doubt the least competent engineering profession, on average. Sigh.

Jerry, while you're right about laziness, I have worked with fairly functional adults who simply don't have the memory capacity to be able to remember multiple complicated passwords. Furthermore, laziness, in my view, is something you cannot get rid of as a matter of policy, it's something pragmatic managers have to understand is going to be a factor. Put the two together and a policy that forces people to frequently change passwords, and use complicated passwords, virtually guarantees that you will be able to walk around a department, shuffle through people's desks, and find their passwords written down somewhere.

It's possible I suppose if you're a highly well-funded organization you can afford to just fire anyone who can't handle a rigorous password scheme. But otherwise, the real solution is to carefully shape your data security so that only very specific people have access to truly sensitive data, and otherwise implement a middle-level password system that isn't going to cause great confusion for everyday users.

It's possible I suppose if you're a highly well-funded organization you can afford to just fire anyone who can't handle a rigorous password scheme.

Look at it from the other direction -- can you really afford to hire people who can't be bothered?

Crazy random alphanumeric passwords (fle2utdrn7) are unmemorable, of course, and you don't want to use those because nobody can remember them. But it surely is not too much to expect users to remember passwords that they have chosen for themselves! Something you chose yourself is the easiest kind of thing to remember. If a person is literally inacapable of remembering a password he chose himself without writing it down, I would have to have serious doubts about his overall competence.

But few people are literally incapable of this. They just don't bother because they don't understand why it is important to them.

Well, first there's Edna, who's 55, been with the company for 18 years, is incredibly competent, but has a mind like a seive when it comes to this sort of thing.

Then there are the 350 people you have doing data processing at the data center in Chicago, and the 500 working at the shipping and warehousing in San Antonio, and....

It's all a matter of scale, really, and how much you value your older employees, and how much you can afford to pay dozens or hundreds of people, and how many you're willing to fire and replace.

So even if you're making a strictly economic choice, if the average $8/hour worker can't be counted on to do this right, but your average $12/hour worker can, do you really give your entire workforce a 50% raise and fire anyone who canm't cut it, or....?

Jerry: I don't think you understand the scope of the problem.

Working in a technical field in a large corporate behemonth requires not one password but dozens. All of them different. Each having to contain 8-10 random characters of mixed case alpha and numeric characters. Each password having to be changed on a different timetable, once every 30-90 days. No password can ever be used again. None can contain any word in the English language longer than three letters.

And each password is to a system whose sysadmin insists is the most important in the company, and come what may to the other systems, but *his* system is going to have secure password requirements.

I submit that very, very few people can meet these requirements without cheating.

Mike

Of course I understand the scope of the problem -- I've been juggling dozens of passwords myself for 17 years. Look, if you know several phone numbers -- and everybody, even Edna, does -- the fact is that you have the mental capacity remember a few passwords THAT YOU MADE UP YOURSELF.

People expect that after they pick a password they will just automatically remember it, and then when they don't, they make excuses like "my brain is a sieve for that kind of stuff." Well, so what if it is? If you know that you have trouble remembering people's names, don't just continue to say lamely to everyone you meet "I'm not any good with names" and leave it at that! You develop a strategy for compensating for your shortcomings. Well then, if you have trouble remembering passwords, what should you do? Hmmmmmmmmm?

Sure you might have to put some effort into it. Might have to (gasp!) study a little. It might even be WORK! But, by a sheer coincidence, the company that employs you gives you money to do work! So it's fine that it's work, since that's what you're supposed to be doing anyway!

People have no trouble memorizing things that are important to them (just ask a grandmother to reel off her grandkids' names, all eight of them, including middle names). The problem is that people don't consider security important enough to put any effort into -- not that it's too difficult in some absolute sense!

Again, people just don't understand that security is about protecting themselves as much as the company. Anyone with your password can easily get you fired, or even arrested. You'd think that'd be incentive enough, but apparently people just don't get it.

"But I trust the people I work with! None of them would do anything bad to me, even if they did get my password!" No, no, it's TOTALLY the other way around! You don't give someone your password beacuse you trust them -- you can trust them because they don't have your password!

Dean, your idea that controlling which accounts have access to sensitive resources is sufficient is silly. Everyone in a company has access to sensitive resources, even if it's just the work they're doing. Security is not just about controlling access to sensitive resources, it's about preventing spiteful employees from fucking with others, it's about being able to accurately determine who actually made a particular mistake -- and a lot of other things. If you fire someone, what good does it do you to disable his account if he knows (or can easily guess) five other people's passwords?

I won't argue that some companies have more security than they really need, but those are few. Even those companies that have good policies often do not train their people well enough. But maintaining security is part of everyone's job. If an employee cannnot become competent at doing this part of their job, well, what steps would YOU take if an employee could not become competent at one of their job functions?

Oh, how I love easy-to-remember passwords and RSA tokens. Much better than a gazillion-character password that will only be written down anyway.

It doesn't apply in every situation, but you have to have the right tools for the job. Two examples, one is a process, and one is software.

1) A collection of letters and numbers doesn't have to be meaningless to you, just to others. So pick a phrase of appropriate length that has meaning to you, take the initial letters, and then play with it a bit.

For example, "Four score and seven years ago, our fathers brought forth on this continent a new nation..." That gives us "fsasyaofbfotcann." Okay, that's too long, so let's trim it a bit. Let's drop the "and," and trim it down to where "continent" is the last word. That gives us "fssyaofbfotc." That's twelve characters, so that's probably pretty good. If you need some other number of characters, continue playing with it.

Now we want mixed case letters and some numbers (we'll leave symbols out for now, but they could be included). We happen to have two numbers, so let's just put them in as their digits instead of their initial letters. That gives us "4s7yaofbfotc." Not too bad. Let's capitalize at least one of the letters. Pick out the most important word (or two) and capitalize it. "Father" strikes me as the most important word, so let's make it "4s7yaoFbfotc." That's probably good enough, but you could keep working it if you want to. Just be careful that you don't make it too complicated to remember. The mnemonic has to stick in your mind.

So when the time comes to remember your password, you remember "Four score (and) seven years ago, our Fathers brought forth on this continent." So we think, "Four (4) score (s) seven (7) years (y) ago (a) our (o) Fathers (F) brought (b) forth (f) on (o) this (t) continent (c)." This method requires a little work, but as Jerry said, it's your job, where you're supposed to work, anyway.

2) It's probably not a good idea to use the same password everywhere, because if someone finds it or figures it out for one system, they've got it for every system. Following procedure #1 above can get onerous after a few passwords, so maybe we ought to get a tool to help us out.

There are various software packages for generating and securely storing passwords for you. Naturally, the file holding the passwords is strongly encrypted. The application has half of the information necessary to decrypt it, and you supply a password (see #1 above) which forms the other half.

There are ways to manage passwords, keeping them reasonably secure. But people have to be told about them, helped with the process, given the tools.

And for the record, I agree that there are tons of stupid IT policies that folks are plagued with. It's a crime.

I like Boyd's approach. As a matter of fact, my logon to my own system is the first letters of something the plant manager used to call the boss's son where I worked when I got into computing.

Where I'm working now, as reported in my comment to the article Dean linked to start this discussion, my network logon must be 8 characters including a capital and a number. I use stuff on the order of Mastrb8r. What is really stupid is that once I am into the network, my password for critical applications is unchanging, first initial and last name.

Another solution I ran into, on the last contract I worked for a cellular provider, was simply not to give people network access. This was not a big problem for a lowly tech like myself, but it seriously reduced the productivity of the long-term engineering contractors.

In my experience there are three main types of security concern in a corporate or (non-military)government environment:

1.) protecting information
2.) protecting systems
3.) protecting identities

Protecting information is not possible solely, or even primarily, by using technology. Password policies and access controls ultimately only keep honest people honest and have no more than a relatively trivial impact. The only reliable method for protecting information is to train employees how to physically handle the information that's appropriate to the sensitivity of that information. And enforce the policies and procedures that support that training.

Protecting systems from intrusion, mis-use, and deliberate harm requires strong physical security, strong authentication (strict passwords, tokens, etc.), and strong access controls. An even more important, very rigorous auditing and monitoring of useage.

Strict password policies are of minor value in dealing with the first two security types I mentioned, and a reliance on them as part of a security methodology can actually be harmful by promoting a false sense of security.

Where strict password policies are most useful is for the third security concern ... identity protection. But even in this case it has limited value unless there is active monitoring of useage. People don't work in a vacuum and will find it nessecary to give someone access to thier identity so that a needed job can get done within a short time frame. Happens all the time in the real world (very rarely in a true secure, classified environment).

Overall I have to agree with Dean. For 80-90% of the companies out there, you only really need a password policy strict enough to prevent the ability of someone with a password cracker to acquire admin or root access to critical systems.

I love that one: Mastrb8r. That's what I am.