Skip to content

Password change frenzy

April 13, 2012

Call me a nerd!

I’ve been on all sides of the line. I’ve been an IT user when I was doing my PhD. I’ve been a systems’ administrator in my own startup, admittedly, only with a limited machinepark of merely 20 machines (luckily a real Unix heaven, all machines running Solaris, GNU/Linux, HP-UX). I’m in middle management now, where people come to me to complain about IT support. Some people may call me a nerd that moved up to management.

Having seen all sides, I understand and appreciate the complex job of being a systems’ administrator, but also the complex job of being a user (let’s keep the management out of the loop for now). Moreover, I realize that though people call it ICT, the ‘C’ (for Communication) is very often absent in this strange love-hate relationship. Because of this, I always use the acronym ‘IT’ instead of ‘ICT’.

I myself recently totally freaked out because of a new ludicrous IT policy that was imposed on me. Let me explain how they managed to derail my attitude of understanding.

I like my password as I do my coffee: strong

As long as I recall, I’ve always been asked to choose a strong password with enough entropy to stay well ahead of the state-of-the art of password cracking. This is no suprise, as the guys that invented Rijndael, aka AES (the encryption scheme we are all using now, e.g. in WIFI communications) did their research two floors away from me and believe me: they did more than inventing algorithms. Convincing the rest of the building to keep data and computer accounts safe and well protected was their second nature. Since then, I am the proud owner of a password of over 25 of the most exotic characters. The computer security guys even tested whether they could break the passwords of the entire building. Needless to mention that mine was never cracked.

Password change frenzy

I must say that I was a bit surprised when I found out that IT recently asked me to change my password every 6 months. However, I didn’t pay too much attention to it at that time, until I found out that you’re not allowed to reuse the previous 6 passwords. No big deal: me and my colleagues spent a round of 6 changes every 6 months, such that we could keep using our old and perfectly good passwords. Recently, IT ‘improved’ the policy by requiring us to change it every 3 months. Moreover, you can’t reuse any of the previous 24 passwords and every one is remembered for at least 24 days.

Working a week of 80 hours and finding myself on a sunny Sunday full of work in the position of having no more valid password because I made a double typo changing it (both in the original as in the confirmation), totally freaked me out. I missed the deadline (i.e., my boss allowed me to miss it in view of the circumstances) ánd - needless to say - as a result there is a big dent in my relationship with IT.

My big frustration, however, is that I’m not able to convince them that their policy has a serious adverse effect on information security. Instead, they throw at me that everyone in IT-land is asking their users to change passwords every 3 months: “it is a Microsoft recommendation!”. I did not spend too much time trying to find whether Microsoft has such a recommendation, but - though I did not find any proof - I would not be surprised that it actually is a Microsoft recommendation. Alas, the Redmond guys don’t have a good track record when it comes to computer security. Anyway, their answer makes me believe that there are many of you, also suffering the same password change frenzy.

Evil

Let me try to explain to you why I think this IT policy of requiring users to change passwords every 3 months is evil.

The core of the problem are two assumptions IT people make - assumptions that are false.

False assumption 1: people have an infinite amount of memory

In a perfect world where humans have an infinite amount of FLASH-memory built into their skull to store passwords with sufficient entropy, changing passwords poses no harm. IT people seem to believe in this perfect world. However, you and I know that it is not a perfect world: humans are human and will - let’s hope - be human for the time of our lives. Therefore, people are not capable of memorizing a password with a sufficient amount of entropy every month. Moreover, my work-related passwords (four in total) are not the only ones I need to manage: I have a password for my home computer, my home WIFI access, one for my Apple ID, one for my Amazon account, my self-banking account, my IEEE account, my university account, this website, ... need I go on?

Sure, I have an electronic password wallet to make life a bit easier, but my average colleague is a bit less nerdy than me.

What is the net result? People start to pick passwords based on easy, simple atoms that are easy to remember: dates of birth or marriage, names of their children, words straight out of the dictionary, leading to simple, short passwords that are easy to crack. The changing numbers in the password required to survive the 3-months change drill are likely to be one digit, or sequences like 123.

It can be worse, however. People start writing down their passwords on a piece of paper. And even this is only the penultimate. I recently witnessed a colleague who has his set of 24 passwords written down, one below the other, clearly in sight on a pedestal on his disk, with a paper clip indicating the one he has in use right now.

Note that I even don’t go into detail on a number of secondary effects, like the fact that people having to change passwords very often, start typing their passwords really slow, making it very easy for Eve to get in between Alice and Bob; or like the fact that most users perceive the password change frenzy as IT having a grudge against the average user, not aiding a good customer-client relationship.

We get to a fundamental question: What’s the added benefit of changing passwords in this environment?

Still, at this point in the reasoning, the IT people throw one argument back at me: if a hacker gets in, at least he will have only access for three months at worst. This brings us to the second false assumption.

False assumption 2: hackers have an average IQ below 100

Though the popular claim is that anyone could be a hacker - you, me, but also little Bert down the street (sorry, Bert, no offense). However, getting through nowadays firewalls, intrusion detection systems and regular asymmetric challenge-response encryption schemes is not that easy. If I wouldn’t be convinced that hacking is a resentful crime, I’d be impressed by the skills of the average hacker. I think that neglecting the fact that anyone who’s able to hack my computer will also be able to install a backdoor that gives him or her access way beyond 3 months time, is huge underestimation of their average IQ. Even I could program such a backdoor.

The final argument

After having confronted the IT people with the arguments above, they come up with the employee “IT compliance part” in my contract that mentions that I (as all my colleagues) am obliged to act as a prudent man with due care and attention, and therefore all employees are to pick extra strong passwords.

Well, IT people, if I’m required to act with due care and attention, why don’t you?

Conclusion - kind request to the reader

If you are an IT user: please alert your colleagues all over the world to the existence of this article, such that you, users, are well prepared to enter the discussion with your IT department on this stupid password change policy. If you are an IT administrator: please, stop jeopardizing your company’s data and account security by asking your users to change passwords every 3 months.

Epilogue

I did not treat the fact that in order for a no-password-change policy to work, people still do need to pick a good one-time password. I will treat that aspect in a future post together with the fact that trying to crack the passwords of an entire building may have offended an occasional reader. Enough digging. Let’s call it a day.