Security, Topics

Frequent password changes reduce security…

Leave a comment

Something I’ve felt to be true for some time now. Bruce Schneier backs this up here in his article and linked sources.

I’m more inclined to patterned passwords that change radically each iteration rather than the samples he provided where one or two characters change each time, but the issue is the same. Once you add in external site links where employees may inadvertently enter a work password for a non-work site (benefits or external training providers are common here) and you’ve now got an information leak and a predictable pattern.

I think that longer term passwords, broader internal password pass-throughs and more clearly marked internal credential prompts would go a long towards addressing these issues.

  • Longer term password life should encourage people to use more complex passwords that may take more work to memorize but are less guessable.Add in some heuristic complexity checking to reject weak passwords (needs to include a dictionary check and some pattern checks in addition to the usual ‘at least one of’ stuff) and I think you’ll wind up with better security.
  • In house pass-through authentication makes password prompts more visible. It reduces the incentive to use passwords that are quick and easy to enter repeatedly.  It also reduces the risk of shoulder surfing during the day.I find that the more frequently corporate systems require me to enter my password, the more incentive I have to keep it short and easy to type quickly and accurately.My personal password-safe password is about three times as long as my work password for exactly this reason.
  • Clearly marking in-house password prompts as such won’t eliminate confusion where employees inadvertently disclose their work credentials to an external site, but with training it can reduce the frequency of such events.When an employee clicks through a corporate portal and is presented with a login  prompt, the first things they’re likely to try is their work username and password. Most sites should be fine, but you’re trusting their security practices to protect your data.All it takes is a log file with plain text failed passwords or a poorly protected site certificate that allows a man in the middle to watch login attempts and you’ve got a compromise.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.