Strong Passwords Are A Bad Idea

I’ve always been bothered by ridiculous password policies in many organizations. Frankly, they strike me the same way that many aspects of airport security strike me, which is to say that they are there to give you the semblance of security, but are in fact ineffective, and get in the way of doing something productive.

Mike Fitzmaurice, a friend of mine posted the following cartoon on his Facebook wall this morning, which I think really puts this into perspective.

password_strength

This is taken from the humour site, xhcd.

The problem comes from policies that are developed without a true understanding of the underlying technology. This gets compounded with policies that require users to change their passwords periodically. So what happens when you are confronted with a situation like this? You take this password that is difficult to remember (and in some cases difficult to type) and you write it down on a piece of paper. No amount of instruction will prevent users from doing this – they’re really being forced to do this.

Some time ago I attended a security seminar where a representative from CSIS stated that 90% of all passwords are stored on paper within 5 feet of the computer that they access. The problem isn’t the strength of the password, it’s the strength of the user’s memory.

To me, these Byzantine security policies only serve to defeat their own purpose.  Here’s my policy – choose a good password that you can remember, don’t write it down, don’t tell it to anyone, and unless compromised, never change it. I would urge many IT organizations to adopt their policies accordingly. Let’s not forget that the purpose of information technology is not to impose policies, but to support productivity.

Advertisements