Control Freak

A small bugbear of mine. Why do auditors ask me every year “Do you force your users to change their passwords regularly?”. Since when did this become such an unchallenged tenet of security?

Well I don’t agree that this is a good idea at all, and I patiently explain that to the auditors each year. In fact I take the view that forcing people to change their password regularly can actually reduce the security of most systems. My reasons for this are fairly clear:

• Most people find passwords difficult to remember and the more complex the password, the more likely they are to forget it. This is probably because there is no obvious handle for the memory to be hooked onto, i.e. no mnemonic, no event, no place etc.
• If you force people to change regularly then you also force them to develop mechanisms for storing their passwords other than just remembering them, because the burden on their memories is just too much.
• These mechanisms are nearly always insecure. In some cases it is a post-it note stuck to the screen, sometimes a note in a drawer or on the desk or even a text file on their computer.
• Choosing a password is actually quite hard for many people. They can’t think of anything and so they tend to go for simple, memorable names. Just the kind of thing that is vulnerable to a dictionary attack
• Once someone has finally remembered a password, generally only through repeated use, do they then destroy the physical record of it.

So what really matters, is to teach users

1. How to choose a strong password. I’ve seen some nice online tools that evaluate the password strength as you type it. I’m sure they’re a bit corny and generally don’t include dictionary searching, but the do help the user.
2. How to choose a memorable password, so they don’t have to record it anywhere.

Now if auditors asked me whether we do that or not, then that would be a sensible question to ask.

jay Technology