Sunday Boston Globe: "Please do not change your password"
There’s an interesting article in today’s Sunday Boston Globe entitled Please do not change your password The basic premise is that the security folks are wasting their time and ours in trying to get us to use strong passwords which we change frequently. The harder they try to make us do it, the less likely it is that we *will* do it. This all comes from a new study from Cormac Herley of Microsoft, who is a principal researcher for Microsoft Research.
To prompt [people] to be more rigorous about computer protection, he said, “You want actual studies, actual data.
”That poses a challenge for the security industry, Herley said. While doctors can cite statistics showing smoking causes cancer, and road-safety engineers can produce miles of numbers supporting seat belt use, computer security professionals lack such compelling evidence to give their advice clout. “Unbelievable though it might seem, we don’t have data on most of the attacks we talk about,” he said. “That’s precisely why we’re in this ‘do it all’ approach.”
Another thing this points out to me is similar to what I meant when I tweeted earlier this week "Never fall for your own marketing". What I meant was that it can be pretty easy, when you are in the midst of something, to believe that it is not only important, but that everyone else will think it is important, too. This happens to people in the middle of a political campaign juggernaut, and apparently can happen to computer security professionals, too.
I understand every little bit of the threat that is out there around someone knowing my passwords. (I really think that I do.) But it annoys me no end to be told that I need to change my password every 30 days to something which is absolutely non-mnemonic for me. In most cases, people get around this by simply writing the password down on a piece of paper, often putting it right on their monitor!
It’s also important for all of us to keep in mind that what we hold the most important may not mean a damn thing to anyone else. As computing professionals, we can spend way too much time trying to get every pixel in place and writing the most elegant code, but the users often just don’t care. They want it to work, and they want it to be easy. That may be it.
So let’s all learn something from the password study: Don’t make it too hard, and back it all up with data. Real data.
I’ve posed the same argument many times. The more disconnected systems you log into, each with a slightly different requirement for password complexity and frequency of change, the more likely it is you will have to write down the passwords to keep track of them. Systems with needless security that you seldom log into end up with the system name and password on a whiteboard.
I don’t have a problem with coming up with a secure password, but having to change it constantly is worse than worthless.
A password should be:
* Easy to remember
* Easy to type
* Hard for a person or system to guess
If you have to change it frequently it WILL break one of those rules.