Get this stuff out of my head.

Password Policies That Cause Bad Behaviour

| Comments

There is one sure fire indicator of how well an organisation understands data security.  Its password policies. And so many organisations fail so badly so often.

Most password systems are in place simply to allow the system to verify a your identity (they can also be used to verify authority - but it this is rarely seen these days).  This is done by using one or ‘factors’ that the you provide to show:

  • what you know (a password)
  • what you have (one of those key fob dongle things)
  • who you are (biometrics like fingerprints or retina scans)

All of these are based on assumptions such as your key fob hasn’t been stolen or your fingers cut off by international terrorists in order to gain access to the missile launch system.  Of course the most common assumption is that you and only you know your password.

This assumption is a perfectly reasonable assumption if  you have been properly trained about the importance of not sharing your password or writing it on a post-it now stuck to your monitor.  And it an organisations policies that show how well they understand that they are making this assumption.

Unfortunately, it seems that so many organisations create and enforce policies that do everything possible to break this assumption. Policies that insist:

  • require a new password to be created every 30 days (and try and prevent the reuse of old passwords)
  • insist on passwords including numbers and capital letters,
  • limit the length of the password to just a dozen or so characters.

All of these make it more difficult to remember a password (as so wonderfully explained by XKCD), thus driving you to do one of two things

  • write down your password in a list somewhere
  • request a new password every time you forget it and want to use the system

Writing down the password is obviously a bad thing as it increases the chances of that assumption about only you knowing it.  At worst it will mean anyone who can see the post-it stuck to your monitor can your password. At best it will mean that anyone who has access to your note book, telephone, or online password management tool has access.

The affect of getting a new password (invariably sent by email) is that your password is effectively exposed to anyone who can read your email.  And that means

  • the staff who look after your email system
  • people who work at your Internet service provider
  • anyone who can access your computer, phone or other devices when you aren’t looking

Effectively, an email based ‘forgotten password’ mechanism delegates the security of any system to the security provided by your email system and devices.


There are lots of potential ways to fix this problem, single-sign-on servers, 2 factor login systems, sensible password policies, locked down email, but the underlying issue is that the people who run the information security function of an organisation should consider that they job is not about computer authentication and identity systems, or document and data management.  Their job is about changing people’s behaviour, about understanding how they work, and why they do what they do and how you can persuade them to behave differently.