Ringing the (password) changes
I have milestones in my working life, I mark time by them. They help me to think quantitively about how much time has passed since a particular point in time or event. Its helpful because it enables me to think clearly about whether a colleague would have been involved in a particular activity at that particular time. And the nature of the milestone? Password changes!
I am pretty consciencious about passwords. I always have different ones for different things, with uppercase, numbers, punctuation and sometimes uppercase. As a sufferer of DOuble-CApital-itis, I am not a big fan of uppercase but I make the effort sometimes. Of course there are exceptions, such as the one password I use for all random website registrations, but I’m in good company with that. Because of these password habits, changing a password that I use every day is a big event! I have to think of something that my brain can hold on to, and train myself to type the new one rather than the old. I sometimes change existing passwords for no reason, I just think its good practice. What I really hate is being forced to use a password I don’t want, or change it when I am not ready!
I have recently changed employment, no particular reason just the next step on the ladder really. At my old workplace, I typed my password every single time I opened an internet browser, or logged onto another machine. I can’t deal with too many windows on the taskbar so I was opening and closing browsers all day. I must have typed it fifty times most days. The password complexity rules were there, but they didn’t really get in my way. I was forced by the system to change my password every three months. Three months is quite short when you are subconsciously typing that same password in so often! Still, the password change would roll around, marking a change in season, and I’d spend three days swearing at having typed in the wrong password on autopilot. When my password expired with a week of my notice still left to work, my boss (I guess tired of all that swearing) extended the expiry period to save me the pain.
So here I am, bright and enthusiastic in my new job. Day one, I have to choose a new password. No problem. Four weeks later, I get prompted to change my password. OK, well that’s a pain because I find password changes difficult but hey, I’m new, and I’ll just grin and bear it – after all, I don’t have to type my password for the web proxy here, just when I log in or unlock my machine. That’s still quite a few times though as I don’t leave my desk to go anywhere without locking it. So …. you can guess what’s coming next. Eight weeks into the new job and the password change box is back. My mind is too full to manage another “good” password so I try out something insecure – all lower case characters. And it accepts.
There’s something about this “security” which bothers me immensely. Most password setup systems come with tickboxes, to turn on “features”, such as
- require mixed case
- require at least one number
- require some punctuation
- ban password recycling
- ban similar passwords
- force password change
The sysadmin starts to read the list, tick the top few boxes, decides this is a Good Thing and ticks them all – the system is as secure as possible – Right???
This is how security myths start, and “force password change” is not something where (more often == better). A few months from now, I’m going to be a gibbering wreck, with my plain text password post-it-ed onto my monitor, and not locking the console when I walk away.
There’s such thing as overkill isn’t there? Have you suggested making passwords more secure and changes less often to the management?