When defining a password policy first thing you think is setting up some rules the passwords must match in order to force users to use strong password, and make the passwords to expire in some time…but sometimes that can lead to some situation where you can have the oppsosit effect.
Best with a real example:
I think I have in my mind four/five strong passwords that I reuse when they expire. They are strong enought for my purposes. Well, I have a Windows domain user somewhere and the password expired two times in two month. I has what is seems a strong password policy: You have to use at leasy one character on trhee of four groups, and you can not use the ten(!) last used passwords.
Ok, before reading the password restrictions I tried all my strong passwords, no one matched the password policy, two of them was already used. So, finally I have to think in a password that I coul’d easily remind to use in a service where the security is not important for me(but It is for the organization that manages the system). Is not a big deal for me if someone guess my password.
So in my laziness, and as the password changes a lot over time, I did what most people does, “Ok this is going to change every month? Lets use the month.”
Ok next, do I have to three of four groups “caps”, “lower”, “number”, “punctuation”?…think lazynes again: Common word starting in caps, and followed by a number, and usind the month:
April2011
It matches the policy!* How possible???
(I can round trip over twelve passwords so I match the rule “don’t use any of the last ten passwords” )
I wonder how many people in the world have the password “April2011 this month in a lot of strong password policy systems…
What is the lesson learn from this?
- To change password too much is bad, maybe not as much as never change, but is bad. Very strict password policy can lead to passwords “hacks” that easily match and everybody end up by using them, as
- You can not ask people to memorize 10 strong passwords or to be so original.
- Password generators are good, but you have to remember the new passord, and you work for that if that really worth it for you, and you can not ask everibody to use one.
