Password policy: A headplank moment
Oct. 2nd, 2007 04:50 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
andygatesOur network has lots of users (about 6000), an under-resourced and under-motivated helpdesk, and complex passwords which need to be changed every three months. This results in a lot of calls which the helpdesk don't like, so they're lobbying to have the passwords set to last forever.
Am I being over-sensitive? What are the password policies at your office? If you were in the NHS, would you be as twitchy about this as I am?
It's worth pointing out that this is an NHS (national healthcare) network and that user accounts commonly have access to patient-identifiable data (PID, in the jargon). It's also worth pointing out that (common with other large organisations) we often don't know a person has left for some months after they leave the door, so there are plenty of stale accounts around. The short password life is one way of mopping up those accounts so they don't provide flapping great security holes to your syphilis test and mastectomy photos.
Counter to this, we have a lot of older users, blue-collar users and users for whom English is a second language. All of these are high-maintenance for a helpdesk, it's true, but not unmanageable.
I think part of the problem is that the helpdesk suggest weird passwords in l33t-speak. Password complexity is often very badly presented, and it doesn't have to be. P@$$w0rd is a horrid thing to have to remember. Users will write it down and they'll hate having to come up with @n0th3r_1. Passwords like these are, frankly, crap. And there's no need for them! Bubble*Fish is much more memorable. (Compuserve used to generate passwords like this, leading to the occasional user who was upset at getting Arse!Bandit or Scary$Vulva - don't generate these from a vanilla dictionary). If that's too "passwordy" then use a phrase; spaces are punctuation too. I love my job and Let's go spelunking are long and complex, and always get a laugh in induction.
Brute-force password crackers are not our main concern; it's password leakage. It's people remembering what a colleague's password was, and using it later (this has been done for web porn right here); it's people giving out their details willy-nilly, and of course with lots of staff churn, it's physical security and social engineering. Cripple Mr. Onion may not be as theoretically sound as some, but it's sound enough and very memorable and very accessible. Friendly passwords are not tough to think of when they need to be refreshed, they're not tough to type, they just bloody well work better.
It's a training issue. The users need to know that a password isn't a big scary thing, and the helpdesk need to be motivated to tell them. But instead of addressing it this way, they are pushing for immortal passwords. I'm not very happy. But without good stats (user has problem remembering new password vs fat-finger lockout, say) it's hard to prove the glittering dumbness of this approach. It really feels like they're significantly compromising security in order to have a quiet life.
Counter to this, we have a lot of older users, blue-collar users and users for whom English is a second language. All of these are high-maintenance for a helpdesk, it's true, but not unmanageable.
I think part of the problem is that the helpdesk suggest weird passwords in l33t-speak. Password complexity is often very badly presented, and it doesn't have to be. P@$$w0rd is a horrid thing to have to remember. Users will write it down and they'll hate having to come up with @n0th3r_1. Passwords like these are, frankly, crap. And there's no need for them! Bubble*Fish is much more memorable. (Compuserve used to generate passwords like this, leading to the occasional user who was upset at getting Arse!Bandit or Scary$Vulva - don't generate these from a vanilla dictionary). If that's too "passwordy" then use a phrase; spaces are punctuation too. I love my job and Let's go spelunking are long and complex, and always get a laugh in induction.
Brute-force password crackers are not our main concern; it's password leakage. It's people remembering what a colleague's password was, and using it later (this has been done for web porn right here); it's people giving out their details willy-nilly, and of course with lots of staff churn, it's physical security and social engineering. Cripple Mr. Onion may not be as theoretically sound as some, but it's sound enough and very memorable and very accessible. Friendly passwords are not tough to think of when they need to be refreshed, they're not tough to type, they just bloody well work better.
It's a training issue. The users need to know that a password isn't a big scary thing, and the helpdesk need to be motivated to tell them. But instead of addressing it this way, they are pushing for immortal passwords. I'm not very happy. But without good stats (user has problem remembering new password vs fat-finger lockout, say) it's hard to prove the glittering dumbness of this approach. It really feels like they're significantly compromising security in order to have a quiet life.
Am I being over-sensitive? What are the password policies at your office? If you were in the NHS, would you be as twitchy about this as I am?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2007-10-02 05:22 pm (UTC)As for the people who just see computers as an annoyance, I am not sure what you do about those. I look forward to seeing you with a mortar board and cane to get them into line....
If the passwords were set for forever your chief exec will care very much if sensitive data leaks out, and you guys will get the problem back again.
no subject
Date: 2007-10-02 08:40 pm (UTC)And yes, spankings are needed. Many spankings.
no subject
Date: 2007-10-02 07:38 pm (UTC)I used to work for the hospital system that owns the clinic and I did billing management. It drove me crazy that there was often only one password being shared among 6 or 7 people. When they implemented an upgraded version of the same system for its electronic medical records capabilities, there was only one password for billing and the clinic. You're talking of about 50 employees right there. The doctors all had their own with special privileges such as ordering tests and prescriptions- they had a clearance password once logged in- but to get into the system initially, the password was the same for everyone. That meant that anyone who worked there could look at all of the medical records.
When I stopped working there, my doctor offered to put my file under his security code so that those who knew me couldn't view my medical records without going to a manager and stating why it was necessary.
A few months ago, when I had my first Vitamin-B injection, there was an entirely new staffing group at the front desk. No one had a password to log into the system to check waiting patients in, so they called a manager up. Not only did she tell them the password across the room and loudly enough that I'd have needed to be deaf not to hear her, but she wrote it on a half sheet of paper and taped it to one of the monitors where anyone at the window could read it.
It was the same password they'd had three years prior when I was employed with them.
Given that they didn't ask me to turn in my security badge and I still had the password, I could have waltzed into any office or hospital they ran and accessed all the records I wanted, and their turnover rate is so high that I suspect I wouldn't be the only one with the tools to do so.
Thing is, it wasn't even a complex password. It was just a word with a number after it, and yet, they couldn't remember it. So I'm left wondering if your users just can't be arsed to memorize theirs at all regardless of how often it has to be changed. In response to their ambivalence, perhaps your help desk knows they should give different advice to users who need passwords, but are getting even with them for their "stupidity" by making it hard because people are basically pissing on the system they're trying to take care of? It wouldn't be the first time, and I know the help desk for the office I just described ignored the clinic when they'd call because of the users' indifference to such things.
You're completely right that the helpdesk needs to be motivated to tell them. It's just hard to feel that motivation when you spend all day working with people who don't care about the computer or security and just see those things as a detriment to getting their jobs done. That's what needs addressing first, I think, because it sets off a chain reaction.
no subject
Date: 2007-10-02 08:47 pm (UTC)My users are mostly not IT people. They're nurses. A lot of the time, many of them will be using a ward-station PC which is logged on as the ward ID, so they can be expected to forget their passwords.
I love my nurses to bits, they're great at what they do. But they are at the lower end of the IT-literacy level in a lot of cases and it's no good the helpdesk getting pissy about that. They need to realise what their user base is like, rather than wishing they were all l33t. A great bedside manner, tons of common sense and the stomach to wipe arses and mop up puke all day do not necessarily come with a computer brain.
Oh, for swipe-card logons from our ID badges...
no subject
Date: 2007-10-02 09:52 pm (UTC)Banks = Cost lives, overfunded.
My access card to the building has a chip in that I have to stick into a COBOL reader and enter a 6 digit PIN to access my PC account. I have a couple of subsequent logons for payment/client related systems, where password are a minumum of 6 digits mixed letters, caps and numbers. I can view some sensitive data, but I KNOW the guy who reviews what I've been looking at. As to altering it? Fugadabouit. 4 eyes principle abounds, audit are a pretty scary beast, and the draconian laws mean it had better be a big score before you'd even consider entertaining contemplating the idea of the possiblity of the remote chance of thinking about doing something naughty.
no subject
Date: 2007-10-06 05:45 pm (UTC)Still, it does sound as though your problem is more with your help desk than with your users. There's always the carrot/stick method, but within a system like the NHS, do you have options for either?
no subject
Date: 2007-10-07 02:44 pm (UTC)no subject
Date: 2007-10-11 03:45 pm (UTC)I am one of the only nurses who is comp literate. We tend to be in our fifties, rural white females.
Education is the key. All my chosen passwords are either numerical sequence or else in Romanian. No one can ever use mine because they can't remember them. :-) Once I started getting my co-workers to use things they remembered like; Code Brown and Ridin_thepootrain we did much better.
no subject
Date: 2007-10-11 04:21 pm (UTC)no subject
Date: 2007-10-02 07:54 pm (UTC)no subject
Date: 2007-10-02 08:38 pm (UTC)It's the ones who go into a total brainfreeze and need a bit of a helping hand that are the problem; the helpdesk aren't big on "help". :(
no subject
Date: 2007-10-03 05:47 pm (UTC)no subject
Date: 2007-10-03 07:30 pm (UTC)no subject
Date: 2007-10-04 10:19 am (UTC)no subject
Date: 2007-10-02 09:01 pm (UTC)From what you say, a 3 month failing password sounds sensible. If people share their passwords then there needs to be some limit. Hard tag + detector sounds like the best solution, but that'll cost.
no subject
Date: 2007-10-03 10:19 am (UTC)no subject
Date: 2007-10-03 10:52 am (UTC)6 characters, at least 1 number.... and that's it.
Easier to remember.
Less secure certainly, but a big improvement on never changing the password. And if it means fewer people write it down, then it might even improve security.
no subject
Date: 2007-10-03 09:44 am (UTC)I like your suggestions for complexity, they certainly beat the suggestion of a j!8b3rI5h password. Another method I think Jan suggested once which has worked for me was to take a memorable line from a book, song, movie or whatever and use the first letters of each word. You can then replace characters if you feel the need.
That method was the only way avoided being gunned down by the help desk, or sacked, in a dutch bank I worked for. They insisted on 10 character passwords with at least one number and special character, and no character repetition. These passwords were valid for 7 days only. 3 errors and it is locked requiring a reset. Mine, due to the timing of me being set up, expired on a Thursday night. I would re-set it Friday morning and head home for the weekend at lunchtime. Come Monday I had no idea what it was. Cue an angst filled helpdesk relationship and a post-it note that could have got me sacked if management had found it, until Jan's suggestion.
The people that should have been shot there were the security freaks though. They had zero concept of risk assessment vs business impact.
no subject
Date: 2007-10-03 10:24 am (UTC)(aside: I'm tempted to take a pop at that job, but don't trust management to back me up)
Seven days is incredibly short. It's situations like that where biometrics really start to get attractive.
Good to see that someone else is using the lyrics approach. Ah, happy days using sequential lines from Jabberwocky in mock German. Est Brillig wahr / Der Slichtoven / Gyren und gimmelen in Waben / Allen mimsich Borgoven sie / Momenrathen ausgraben.