Password Policy & Password Fatigue
As a consultant I have been dealing with numerous organisations around the UK and Ireland for the last six years. In this time I have dealt with almost as many different password policies as I have clients, and this is before all the web sites I access are taken into account. The 2002 NTA Monitor Password Survey found that intensive computer users had 21 separate accounts requiring a password and, for added security, it is typically recommended that each password is unique to a login and not reused.
This recommendation, which I fully endorse, combined with complex password policies is resulting in growing password fatigue, the main issue of which is that it encourages people to adopt insecure password practices such as using the same password on multiple logins, choosing easy to guess passwords or even writing them down.
A perfect example of this is an organisation I dealt with recently where every user had to have a password with a minimum length of eight characters (mixed case letters and numbers) which needed to be changed every thirty days and could never be reused. Unfortunately, in this instance, password fatigue kicked in both for users and the IT department. Users, after holidays and sometimes even after long weekends, were often unable to remember the strong passwords that they had to change so regularly that they either wrote the password down on a post-it note, stuck to the computer, or they'd forget the password and lock themselves out of the system and then need to ring the IT department to get their password reset. After a fairly short time of dealing with the same repeated call, the IT Helpdesk Manager started to advise users to pick a word followed by a number and just increment the number every thirty days. While technically the password policy in place should have been secure, the reality was very different.
I've spent a lot of time driving round the country to and from client site and I've ended up thinking a lot about password policies (it's something to do on the long journeys). I've come to the conclusion that forcing complex passwords (mixed case letters with numbers) of a minimum length (as longer passwords are harder to crack than shorter ones) is a good policy, I can't accept that forcing the password to be changed at specific intervals is good policy.
Typically, the maximum age password policy requires a password to be changed every thirty, sixty or ninety days. If you suspect someone knows your password you should be changing it immediately and not waiting for the maximum age policy to kick in; if no-one knows your password then what is the benefit of changing it? The usual argument people have used is that it makes the use of dictionary or rainbow table attacks harder, but this is only true if the new password is guaranteed to be stronger than the old one which I'd say is never the case. Certainly my passwords remain of similar strength to the old ones whenever I change one and people I've discussed this wth agree the same for their own.
Technically, the "weakest" password I have is my main credit card as I haven't changed the password for twelve years, but both the username and password (mixed case letters with numbers) have never been used elsewhere and are not words found in the dictionary; as such I'd probably regard it as one of the strongest as I was able to pick both a username (instead of being forced to use an email address) and password.
On reflection, if I was to design a password policy that will avoid contributing to password fatigue I'd go with the following;
- Passwords must be eight characters or longer
- Passwords must be complex (mixed case letters plus at least one number and symbol)
- Passwords can't include the username
- Passwords can't include the user's firstname or surname
- Passwords can't be older than 30 days
- Passwords can't be changed within 7 days
