Secret CIO: Password Complexity Puts Security At Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

06:50 PM

Secret CIO: Password Complexity Puts Security At Risk

Even the best system can fail when people have to remember too much

There are days when something small irritates you. Maybe your coffee wasn't hot enough or the traffic driving to work was especially annoying. Whatever. The result is that you start picking on things you'd normally ignore.

I was signing into the system very early one morning when my computer responded with the message, "Your password will expire in 10 days. Please choose another one." So I entered another alphanumeric combination and confirmed it. The machine blinked and countered with, "This password has previously been used. Try again." Being a compliant adult, I came up with another password and did as I was told. The gods of security weren't satisfied and assertively flashed once again, "This password has previously been used. Try again." This dance continued a few more times as I watched the clock tick away my time to get actual work done before the phone starts ringing and people begin dropping into my office with their crises du jour.

I am frustrated. I pick up the telephone and call the Help Desk. Sherry, who answers, tries to calm me down by explaining that for better security no password can be reused if it's among the last 10 I have chosen. I thank her, hang up, and call Bill, the head of our operations group. Like me, Bill gets into work early. Bill tells me that it's the security policy Dwayne, our security officer, has established. I hang up. I have a headache. If I can't figure out whom to talk to in my own organization, what chance does a user have? I call Dwayne.

He arrives in my office looking very serious. For the next few minutes, he goes over password procedures and why he set up the rules as he did. I listen. Finally, I interrupt. "Look, Dwayne, you and I both know any password system can be hacked. Making people change passwords every 90 days and not letting them reuse them for three years is just encouraging bad habits. I bet if I walk around here I'd find a lot of passwords written on scratch paper under mouse pads. Our butts may be covered, but we've got to consider normal human behavior when confronted with too much to remember."

I ask Dwayne to devise a new password procedure. Expire passwords after four months, not three, and give people the option of reusing a password so long as it wasn't among the last two used. Next, put a brief, understandable paper on picking good passwords on the company home page and offer lunchtime sessions at our various locations to go over it. Give examples of easily remembered passwords that use uppercase, lowercase, symbols, and numbers such as "ONE+two=3" or "4Score&7." But block these examples so people don't use them to avoid thinking up their own.

Dwayne says he'll go along but is concerned. "After all, my job is to ensure the strongest system security possible, and I'm worried that what you want will water down what we have."

I shake my head. "Maybe I'm at fault for assuming we were in sync on your job. It doesn't stop at the firewall; it's to ensure all the links in the security chain are as strong as possible."

We talk some more and our conversation is productive. No password system is invulnerable, but at least we won't be contributing to locking the doors to our systems but leaving the keys lying around the office.

Herbert W. Lovelace shares his experiences as CIO of a multibillion-dollar international company (changing most names, including his own, to protect the guilty). Send him E-mail at [email protected].

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll