I’ve mentioned before how inadequate I think most security methods are, but I want to point out one in particular here. I’ve seen it numerous times in my corporate life, and occasionally on the Internet, and it still amazes me today how some security professionals think that frequent password changes are a good thing.
Here’s what happens with nearly every user I’ve spoken to about the matter:
The more frequently you have to change your passwords, the more predictable you make them. Classically, you take password11, and when you are forced to change it, you make it password12, then password13, etc. So not only are you not making your system more secure, you are creating the illusion of security, which is worse.
There is one place that I worked that was smart enough to get this right. I can’t tell you the name of the company, because their password policy is private, but suffice to say there was an understanding about how often to change passwords, and how to monitor the devices where those passwords were used, and what traffic was flowing to and from those devices.
So if you are trying to implement a password policy, please don’t force users to change passwords monthly or quarterly. Remember, you are working with human beings; they would like security, but not at any great inconvenience. Any attempt to complicate their lives will generally be met with an offsetting attempt at simplicity.
So what do yo think a good password policy or security method might be? Do you have ideas about a completely different but still practical approach? Hardware? Bio? Something not yet invented?
Hi Charlie,
Something you have, instead of something you know. My typing cadence is a unique to me as a password, but you can’t steal it. My phone rarely leaves my pocket. Combine how I use an interface with what I physically have and I think you have something significantly better than anything today. I think one of the perfect opportunities is to empower the user with some choices around what they’d like to do. Let me establish hours of scrutiny, devices I’d use to authenticate, etc.
I’ll consider some other things and probably do another post in the future.
-David