Password policy: A headplank moment
Oct. 2nd, 2007 04:50 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
andygatesOur network has lots of users (about 6000), an under-resourced and under-motivated helpdesk, and complex passwords which need to be changed every three months. This results in a lot of calls which the helpdesk don't like, so they're lobbying to have the passwords set to last forever.
Am I being over-sensitive? What are the password policies at your office? If you were in the NHS, would you be as twitchy about this as I am?
It's worth pointing out that this is an NHS (national healthcare) network and that user accounts commonly have access to patient-identifiable data (PID, in the jargon). It's also worth pointing out that (common with other large organisations) we often don't know a person has left for some months after they leave the door, so there are plenty of stale accounts around. The short password life is one way of mopping up those accounts so they don't provide flapping great security holes to your syphilis test and mastectomy photos.
Counter to this, we have a lot of older users, blue-collar users and users for whom English is a second language. All of these are high-maintenance for a helpdesk, it's true, but not unmanageable.
I think part of the problem is that the helpdesk suggest weird passwords in l33t-speak. Password complexity is often very badly presented, and it doesn't have to be. P@$$w0rd is a horrid thing to have to remember. Users will write it down and they'll hate having to come up with @n0th3r_1. Passwords like these are, frankly, crap. And there's no need for them! Bubble*Fish is much more memorable. (Compuserve used to generate passwords like this, leading to the occasional user who was upset at getting Arse!Bandit or Scary$Vulva - don't generate these from a vanilla dictionary). If that's too "passwordy" then use a phrase; spaces are punctuation too. I love my job and Let's go spelunking are long and complex, and always get a laugh in induction.
Brute-force password crackers are not our main concern; it's password leakage. It's people remembering what a colleague's password was, and using it later (this has been done for web porn right here); it's people giving out their details willy-nilly, and of course with lots of staff churn, it's physical security and social engineering. Cripple Mr. Onion may not be as theoretically sound as some, but it's sound enough and very memorable and very accessible. Friendly passwords are not tough to think of when they need to be refreshed, they're not tough to type, they just bloody well work better.
It's a training issue. The users need to know that a password isn't a big scary thing, and the helpdesk need to be motivated to tell them. But instead of addressing it this way, they are pushing for immortal passwords. I'm not very happy. But without good stats (user has problem remembering new password vs fat-finger lockout, say) it's hard to prove the glittering dumbness of this approach. It really feels like they're significantly compromising security in order to have a quiet life.
Counter to this, we have a lot of older users, blue-collar users and users for whom English is a second language. All of these are high-maintenance for a helpdesk, it's true, but not unmanageable.
I think part of the problem is that the helpdesk suggest weird passwords in l33t-speak. Password complexity is often very badly presented, and it doesn't have to be. P@$$w0rd is a horrid thing to have to remember. Users will write it down and they'll hate having to come up with @n0th3r_1. Passwords like these are, frankly, crap. And there's no need for them! Bubble*Fish is much more memorable. (Compuserve used to generate passwords like this, leading to the occasional user who was upset at getting Arse!Bandit or Scary$Vulva - don't generate these from a vanilla dictionary). If that's too "passwordy" then use a phrase; spaces are punctuation too. I love my job and Let's go spelunking are long and complex, and always get a laugh in induction.
Brute-force password crackers are not our main concern; it's password leakage. It's people remembering what a colleague's password was, and using it later (this has been done for web porn right here); it's people giving out their details willy-nilly, and of course with lots of staff churn, it's physical security and social engineering. Cripple Mr. Onion may not be as theoretically sound as some, but it's sound enough and very memorable and very accessible. Friendly passwords are not tough to think of when they need to be refreshed, they're not tough to type, they just bloody well work better.
It's a training issue. The users need to know that a password isn't a big scary thing, and the helpdesk need to be motivated to tell them. But instead of addressing it this way, they are pushing for immortal passwords. I'm not very happy. But without good stats (user has problem remembering new password vs fat-finger lockout, say) it's hard to prove the glittering dumbness of this approach. It really feels like they're significantly compromising security in order to have a quiet life.
Am I being over-sensitive? What are the password policies at your office? If you were in the NHS, would you be as twitchy about this as I am?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2007-10-03 07:30 pm (UTC)no subject
Date: 2007-10-04 10:19 am (UTC)