Jiri’s Notepad

Last month, when writing security policies for a City firm, I came to the topic of password policy. What is the best practice on passwords? What is a reasonable password length these days that will not make the life for people too difficult? I thought I could find some guidance in system hardening guides. I had a look at otherwise excellent NSA Windows Security Recommendations but strangely thing, in the relevant section the guide mentions something like 15 character long passwords. Do I really want to inflict this on users?

One of the principles for sound enterprise security is that security shouldn’t be preventing legitimate business activities. How 15 character passwords relates to this? NSA guide authors obviously didn’t spare much thought on usability. But perhaps someone else did. Because usability of security is an interesting subject, I decided to do some research into the topic focusing on the problem at hand - passwords.

I found an article from Bruce Togazzini who is a usability expert. Does the following story ring any bells?

“My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!

Even constant users have to make up (and post on their computer monitors) new passwords every 90 days, even if they keep their user names. Expiring stuff is the only way these guys can prevent the unthinkable: memorization. Once people memorize the little devils, they don�t need their cheatsheets anymore, and then, suddenly, there’s real security. They can’t let that happen!”

And the final word of wisdom: “The goal of security is not to build a system that is theoretically securable, but to actually make it secure!”

Further googling then lead me to Richard Smith, and his Center for Password Sanity, who dissects a common wisdom that:
1. All Passwords must be memorized.
2. All Passwords must be at least six characters long.
3. The password should contain a combination of upper- and lowercase letters, digits, and punctuation or other special characters.
4. The password should not be a word that appears in a dictionary.
5. You must use a different password for every computer that requires one.
6. Passwords must be replaced periodically.
7. You must never use the same password twice, especially when periodically changing your password.

Richard essentially shows that in many cases stricter password policies backfire and thus when writing password policies (not exclusively), you should question, whether the ‘best practice’ is actually reasonable. Often, you can achieve more with less.