Slashdot Mirror
New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste
isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.
(caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)
(extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)
-- Tigger warning: This post may contain tiggers! --
Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
That's what I do now, I basically classify things as low, medium, or high security. I don't want to remember a thousand different passwords and don't care to use a password manager for sites like Slashdot or other news sites I comment on. So low-impact sites all get the annual password when I register.
I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.
For a while I did something that might be better. I had an algorithm and a little utility program which generated a unique password based on my master password and the domain name. So something like sha1(mypassword, 'slashdot.org'). That gave me different passwords, without remembering them all, and without being tied to one specific password manager. I could "recall " my password on any device at any time. Actually, I chose an algorithm that I COULD compute in my head, though with considerable difficulty.
Here's the problem in a nutshell:
When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.
So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever lost or stolen, I'd still be able to do work, but if one of those unique-cases came up, I'd have to lose the productivity then.
Other people keep passwords on stickynotes on their PC.
The problem, is, that passwords are bad.
With the advent of smartphones/watches, it should be possible to just start having PC's have NFC built into the computer screen, and placing the phone near the screen leaves the PC unlocked and all accounts accessible until the phone is moved two meters away from the monitor. Forget your phone at home? Did it get smashed? Then your boss can issue you a NFC ID card and temporary/permanently revoke the phone.
This also prevents password sharing because taking the phone or NFC card to another machine kicks out the previous login.
Good luck getting Google and such implementing a common NFC card access.
They caught onto us at our workplace. Now passwords have to be significantly different by some secret algorithm and incrementing a number is not different enough. Of course, that just means people think up other schemes.
I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.
Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.
Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.
The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.
I left not long after that. I heard that he got fired a few years later, so at least there is a god.