The Most Ridiculous Password Policies
No matter how secure your systems are, everyone knows that the humans are the weakest link in the security chain. So, what can you do to reduce the human-factor risk?
Many, many things.
But today I'm writing about not enforcing ridiculous password policies.
Users need to be able memorize their passwords, or they will write them down - inevitably on a Post-It note, stuck to their monitor, labeled "Password".
Examples of horrible policies I found while researching this:
- Must be between 5 and 10 characters long, contain one number, and one capital letter.
- Must be less than 7 characters.
- Must be longer than 7 characters, and include a number - and you can't use a number twice in a row.
These are ridiculous. One of those is from a social network, the other two are from financial institutions.
The same principles apply in corporate settings. Provide a secure password scheme that allows people to use the things that are typically memorable to them, but aren't easily defeated by a brute force / dictionary attack.
What does this mean?
Using an example:
- A dictionary attack tries the word "cheese".
- When that fails, it tries "cheese1", and so on.
So the solution for most environments can be as simple as:
- Require the password to be 7 characters long.
- Require it to have a number, somewhere in between the alpha characters.
Examples: "ch1942eese", "jo1992rdan", etc.
Oh, one more thing - forcing peoples' passwords to expire repeatedly in short intervals will almost certainly lead to them writing down their passwords. Stop.
Please, everyone, we need to put a stop to this horrid password policy culture. It's caused more compromises than most other channels combined.
Comments