Sensible Password Policies

Let me ask you a question, I regularly use two on-line financial services – with very two different authentication systems:

  • The first service uses a simple user name/password authentication, my login name is my e-mail address and the password never has to be changed.
  • The second service uses a more complex authentication scheme, my user name is a random collection of letters and numbers, I have to change my password every month and I have a third identification code have to type to login.

Which of those two services is more secure?

I believe most people would think that the second service is more secure – but the truth is that it’s not only more difficult to use it’s actually less secure.

If you think that the second service is more secure then you made the same mistake that a lot of programmers, system administrators and even security experts make – you think that more security features make the system more secure, the truth is the exact opposite – more security feature make the system more difficult to use and that in turn makes it more likely that it will be used incorrectly.

Let’s look closely into how I use those two services.

For the first service I have to remember just one secret - my password (it’s unlikely I’ll forget my e-mail address) and that secret never changes, so I have a long completely random password that is not written down anywhere – this defeats all techniques to get at my password accept getting it directly from me.

For the second service things are different, the random user name is written on a piece of paper near my computer (that’s ok, the user name isn’t supposed to be secret), the third identification code is actually derived from my account number so it’s even easier to discover and not a secret at all.

That leaves the password, the password that I have to change every month, do you really think that I can remember a new strong password every month? And that even if I try that I can recall this month’s password?

Trying to use a strong password with this service only caused me to be repeatedly locked out of the service due to entering wrong passwords too many times – so now I use a ridiculously weak password (the other option would be to write it next to the random user name, making stealing both at the same time easier).

So, the first service is easy to use securely (because it’s easy to use in general) while the second service with all those security features making you life difficult is almost impossible to use securely.

If you get to design a security related system remember – the weakest link in the security chain is usually the human who uses the system – and you can secure this part of the system only by making the system friendlier and easier to use correctly, every security feature that makes life harder for the user will be circumvented by writing the password on a post-it note and sticking it on the monitor.

On a final note, the right way to manage your passwords is described in "Password management finally possible” by Joel Spolsky, just remember, most people (me included) just use the very insecure and easy solution of reusing weak password – and for a system to be secure it has to work for most people.

This post is inspired by the post "Security: Securing The Network: Non Technical Guide to Corporate Security" by Steve Cholerton, an excellent post, except for what he writes about user Ids and passwords.

posted @ Wednesday, October 29, 2008 12:11 PM

Comments on this entry:

No comments posted yet.

Your comment:

 (will not be displayed)

Please add 3 and 3 and type the answer here: