News
Commentary
2/17/2005
06:50 PM
50%
50%

Secret CIO: Password Complexity Puts Security At Risk

Even the best system can fail when people have to remember too much

There are days when something small irritates you. Maybe your coffee wasn't hot enough or the traffic driving to work was especially annoying. Whatever. The result is that you start picking on things you'd normally ignore.

I was signing into the system very early one morning when my computer responded with the message, "Your password will expire in 10 days. Please choose another one." So I entered another alphanumeric combination and confirmed it. The machine blinked and countered with, "This password has previously been used. Try again." Being a compliant adult, I came up with another password and did as I was told. The gods of security weren't satisfied and assertively flashed once again, "This password has previously been used. Try again." This dance continued a few more times as I watched the clock tick away my time to get actual work done before the phone starts ringing and people begin dropping into my office with their crises du jour.

I am frustrated. I pick up the telephone and call the Help Desk. Sherry, who answers, tries to calm me down by explaining that for better security no password can be reused if it's among the last 10 I have chosen. I thank her, hang up, and call Bill, the head of our operations group. Like me, Bill gets into work early. Bill tells me that it's the security policy Dwayne, our security officer, has established. I hang up. I have a headache. If I can't figure out whom to talk to in my own organization, what chance does a user have? I call Dwayne.

He arrives in my office looking very serious. For the next few minutes, he goes over password procedures and why he set up the rules as he did. I listen. Finally, I interrupt. "Look, Dwayne, you and I both know any password system can be hacked. Making people change passwords every 90 days and not letting them reuse them for three years is just encouraging bad habits. I bet if I walk around here I'd find a lot of passwords written on scratch paper under mouse pads. Our butts may be covered, but we've got to consider normal human behavior when confronted with too much to remember."

I ask Dwayne to devise a new password procedure. Expire passwords after four months, not three, and give people the option of reusing a password so long as it wasn't among the last two used. Next, put a brief, understandable paper on picking good passwords on the company home page and offer lunchtime sessions at our various locations to go over it. Give examples of easily remembered passwords that use uppercase, lowercase, symbols, and numbers such as "ONE+two=3" or "4Score&7." But block these examples so people don't use them to avoid thinking up their own.

Dwayne says he'll go along but is concerned. "After all, my job is to ensure the strongest system security possible, and I'm worried that what you want will water down what we have."

I shake my head. "Maybe I'm at fault for assuming we were in sync on your job. It doesn't stop at the firewall; it's to ensure all the links in the security chain are as strong as possible."

We talk some more and our conversation is productive. No password system is invulnerable, but at least we won't be contributing to locking the doors to our systems but leaving the keys lying around the office.

Herbert W. Lovelace shares his experiences as CIO of a multibillion-dollar international company (changing most names, including his own, to protect the guilty). Send him E-mail at lovelace@comcast.net.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.