My bank forced me to change the login password again; they claim it's an automated procedure that happens every 90 days, but I know that it actually waits for me to remember the password and then immediately forces me to change it.
When I went in to change it, I was reminded of the draconian rules: it has to be at least 6 characters, with at least 2 numbers and at least 2 uppercase and 2 lowercase. These guys went to the 'security by obstruction' school, no doubt.
I decided to fight back. As I finally got around to remembering this awkward strange password I had to pick 90 days ago, I decided I'm staying with it. So I changed it to something else, which I had to write on a piece of paper for fear of forgetting within 30 seconds (if you saw memento, that movie is about me. And I try to always order beers in bottles since seeing it), and I then went to the 'change password' section to change it back to my awkward-but-conditioned-to-memory password.
Naturally, the bank was trying to set me straight. "You can't change back to any of your last 5 passwords" it told me with a grinning smile, giving me the solution right there. As you can undoubtedly guess, I returned the favor by changing the password 5 times to different things and then changed it back to my old one. I win. Next round in 3 months.
People will always outsmart security systems that try to force them into making the 'right' decision. What I've done today (and I'm quite proud of it, thank you) is being done every day by people who use their CD-ROMs as coffee trays and have never used any program that didn't automatically run when double clicking an icon.
But here's what is really bothering me: What exactly is the attack scenario here? I would like to see the statistics that show how many attackers actually manage to capture a username and password and only fail because they try to use it after 90 days. While these huge numbers are crunched, please put on the Y-axis how many attackers found the password on a post-it stuck to the monitor because the password is so complicated to remember.
Or maybe so many attackers have used brute force to crack the password, (which would take hundreds of millions of attempts for a single account) so there is a clear need for a long and complicated password. (BTW, if this attack is possible, someone should tell me how to do it. I've been locked out a few times for failing to type the password correctly within a few guesses. I need a few guesses because I didn't remember the current password, which, as you remember, changes every 90 days).
Being the cynic that I am, and having read enough security policy documents, I can guess why the password policy is the way it is: it's easy to explain and justify, and it makes sense to the senior execs when shown in a PowerPoint slide show. I once heard from a high-profile organization that due to a successful break-in to their network they decided to tighten up security: all passwords now had to be 9 characters instead of 8. I'm guessing someone was promoted for this genius action, and there's still enough room to increase it further when the next break-in comes (now that's thinking ahead).
How is a complex password policy bad? Let me count the ways; it makes your user you enemy instead of your ally, it distracts the security people from the real threat, it gives a false sense of security, users will more likely write it on a post-it note, it encourages your users to find flaws in your security system and use them. What else? I had more, but somebody just came in the door and I forgot.
Aviram Jenik is the CEO of Beyond Security, which has developed tools that uncover security problems in servers and web sites, discover vulnerabilities in corporate networks, check computer systems for the possibility of hostile external attack and audit vendor products for security risks.
1616 Anderson Road
McLean, VA 22102
brianp (at) beyondsecurity.com
Article Source: http://EzineArticles.com/?expert=Aviram_Jenik