Password policy: A headplank moment
Oct. 2nd, 2007 04:50 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
andygatesOur network has lots of users (about 6000), an under-resourced and under-motivated helpdesk, and complex passwords which need to be changed every three months. This results in a lot of calls which the helpdesk don't like, so they're lobbying to have the passwords set to last forever.
Am I being over-sensitive? What are the password policies at your office? If you were in the NHS, would you be as twitchy about this as I am?
It's worth pointing out that this is an NHS (national healthcare) network and that user accounts commonly have access to patient-identifiable data (PID, in the jargon). It's also worth pointing out that (common with other large organisations) we often don't know a person has left for some months after they leave the door, so there are plenty of stale accounts around. The short password life is one way of mopping up those accounts so they don't provide flapping great security holes to your syphilis test and mastectomy photos.
Counter to this, we have a lot of older users, blue-collar users and users for whom English is a second language. All of these are high-maintenance for a helpdesk, it's true, but not unmanageable.
I think part of the problem is that the helpdesk suggest weird passwords in l33t-speak. Password complexity is often very badly presented, and it doesn't have to be. P@$$w0rd is a horrid thing to have to remember. Users will write it down and they'll hate having to come up with @n0th3r_1. Passwords like these are, frankly, crap. And there's no need for them! Bubble*Fish is much more memorable. (Compuserve used to generate passwords like this, leading to the occasional user who was upset at getting Arse!Bandit or Scary$Vulva - don't generate these from a vanilla dictionary). If that's too "passwordy" then use a phrase; spaces are punctuation too. I love my job and Let's go spelunking are long and complex, and always get a laugh in induction.
Brute-force password crackers are not our main concern; it's password leakage. It's people remembering what a colleague's password was, and using it later (this has been done for web porn right here); it's people giving out their details willy-nilly, and of course with lots of staff churn, it's physical security and social engineering. Cripple Mr. Onion may not be as theoretically sound as some, but it's sound enough and very memorable and very accessible. Friendly passwords are not tough to think of when they need to be refreshed, they're not tough to type, they just bloody well work better.
It's a training issue. The users need to know that a password isn't a big scary thing, and the helpdesk need to be motivated to tell them. But instead of addressing it this way, they are pushing for immortal passwords. I'm not very happy. But without good stats (user has problem remembering new password vs fat-finger lockout, say) it's hard to prove the glittering dumbness of this approach. It really feels like they're significantly compromising security in order to have a quiet life.
Counter to this, we have a lot of older users, blue-collar users and users for whom English is a second language. All of these are high-maintenance for a helpdesk, it's true, but not unmanageable.
I think part of the problem is that the helpdesk suggest weird passwords in l33t-speak. Password complexity is often very badly presented, and it doesn't have to be. P@$$w0rd is a horrid thing to have to remember. Users will write it down and they'll hate having to come up with @n0th3r_1. Passwords like these are, frankly, crap. And there's no need for them! Bubble*Fish is much more memorable. (Compuserve used to generate passwords like this, leading to the occasional user who was upset at getting Arse!Bandit or Scary$Vulva - don't generate these from a vanilla dictionary). If that's too "passwordy" then use a phrase; spaces are punctuation too. I love my job and Let's go spelunking are long and complex, and always get a laugh in induction.
Brute-force password crackers are not our main concern; it's password leakage. It's people remembering what a colleague's password was, and using it later (this has been done for web porn right here); it's people giving out their details willy-nilly, and of course with lots of staff churn, it's physical security and social engineering. Cripple Mr. Onion may not be as theoretically sound as some, but it's sound enough and very memorable and very accessible. Friendly passwords are not tough to think of when they need to be refreshed, they're not tough to type, they just bloody well work better.
It's a training issue. The users need to know that a password isn't a big scary thing, and the helpdesk need to be motivated to tell them. But instead of addressing it this way, they are pushing for immortal passwords. I'm not very happy. But without good stats (user has problem remembering new password vs fat-finger lockout, say) it's hard to prove the glittering dumbness of this approach. It really feels like they're significantly compromising security in order to have a quiet life.
Am I being over-sensitive? What are the password policies at your office? If you were in the NHS, would you be as twitchy about this as I am?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2007-10-02 08:47 pm (UTC)My users are mostly not IT people. They're nurses. A lot of the time, many of them will be using a ward-station PC which is logged on as the ward ID, so they can be expected to forget their passwords.
I love my nurses to bits, they're great at what they do. But they are at the lower end of the IT-literacy level in a lot of cases and it's no good the helpdesk getting pissy about that. They need to realise what their user base is like, rather than wishing they were all l33t. A great bedside manner, tons of common sense and the stomach to wipe arses and mop up puke all day do not necessarily come with a computer brain.
Oh, for swipe-card logons from our ID badges...
no subject
Date: 2007-10-02 09:52 pm (UTC)Banks = Cost lives, overfunded.
My access card to the building has a chip in that I have to stick into a COBOL reader and enter a 6 digit PIN to access my PC account. I have a couple of subsequent logons for payment/client related systems, where password are a minumum of 6 digits mixed letters, caps and numbers. I can view some sensitive data, but I KNOW the guy who reviews what I've been looking at. As to altering it? Fugadabouit. 4 eyes principle abounds, audit are a pretty scary beast, and the draconian laws mean it had better be a big score before you'd even consider entertaining contemplating the idea of the possiblity of the remote chance of thinking about doing something naughty.
no subject
Date: 2007-10-06 05:45 pm (UTC)Still, it does sound as though your problem is more with your help desk than with your users. There's always the carrot/stick method, but within a system like the NHS, do you have options for either?
no subject
Date: 2007-10-07 02:44 pm (UTC)no subject
Date: 2007-10-11 03:45 pm (UTC)I am one of the only nurses who is comp literate. We tend to be in our fifties, rural white females.
Education is the key. All my chosen passwords are either numerical sequence or else in Romanian. No one can ever use mine because they can't remember them. :-) Once I started getting my co-workers to use things they remembered like; Code Brown and Ridin_thepootrain we did much better.
no subject
Date: 2007-10-11 04:21 pm (UTC)