Secret CIO: Password Complexity Puts Security At Risk

There are days when something small irritates you. Maybe your coffee wasn't hot enough or the traffic driving to work was especially annoying. Whatever. The result is that you start picking on things you'd normally ignore.

I was signing into the system very early one morning when my computer responded with the message, "Your password will expire in 10 days. Please choose another one." So I entered another alphanumeric combination and confirmed it. The machine blinked and countered with, "This password has previously been used. Try again." Being a compliant adult, I came up with another password and did as I was told. The gods of security weren't satisfied and assertively flashed once again, "This password has previously been used. Try again." This dance continued a few more times as I watched the clock tick away my time to get actual work done before the phone starts ringing and people begin dropping into my office with their crises du jour.

I am frustrated. I pick up the telephone and call the Help Desk. Sherry, who answers, tries to calm me down by explaining that for better security no password can be reused if it's among the last 10 I have chosen. I thank her, hang up, and call Bill, the head of our operations group. Like me, Bill gets into work early. Bill tells me that it's the security policy Dwayne, our security officer, has established. I hang up. I have a headache. If I can't figure out whom to talk to in my own organization, what chance does a user have? I call Dwayne.

He arrives in my office looking very serious. For the next few minutes, he goes over password procedures and why he set up the rules as he did. I listen. Finally, I interrupt. "Look, Dwayne, you and I both know any password system can be hacked. Making people change passwords every 90 days and not letting them reuse them for three years is just encouraging bad habits. I bet if I walk around here I'd find a lot of passwords written on scratch paper under mouse pads. Our butts may be covered, but we've got to consider normal human behavior when confronted with too much to remember."

I ask Dwayne to devise a new password procedure. Expire passwords after four months, not three, and give people the option of reusing a password so long as it wasn't among the last two used. Next, put a brief, understandable paper on picking good passwords on the company home page and offer lunchtime sessions at our various locations to go over it. Give examples of easily remembered passwords that use uppercase, lowercase, symbols, and numbers such as "ONE+two=3" or "4Score&7." But block these examples so people don't use them to avoid thinking up their own.

Dwayne says he'll go along but is concerned. "After all, my job is to ensure the strongest system security possible, and I'm worried that what you want will water down what we have."

I shake my head. "Maybe I'm at fault for assuming we were in sync on your job. It doesn't stop at the firewall; it's to ensure all the links in the security chain are as strong as possible."

We talk some more and our conversation is productive. No password system is invulnerable, but at least we won't be contributing to locking the doors to our systems but leaving the keys lying around the office.

Herbert W. Lovelace shares his experiences as CIO of a multibillion-dollar international company (changing most names, including his own, to protect the guilty). Send him E-mail at [email protected].