Why passwords are passé

The long view of security strategies for your network.

I have long argued that passwords are a terrible way of authenticating identity.

Here's why:

* Many well-meaning but unaware people choose really stupid, easy-to-guess passwords such as the names of people important to them (or favorite sports teams, or the product whose billboard is visible from their office window, or the names of objects on their desk).

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I have long argued that passwords are a terrible way of authenticating identity.

Here's why:

* Many well-meaning but unaware people choose really stupid, easy-to-guess passwords such as the names of people important to them (or favorite sports teams, or the product whose billboard is visible from their office window, or the names of objects on their desk).

* Good passwords increase the keyspace not only by being longer but also by using upper- and lowercase letters, numbers and special characters - resulting in monstrosities such as “j3q(K8bX_*5” – and let’s not even think about allowing “O” and “0” in the character set.

* Some users generate their passwords using funny rules such as using particular letters from the words in phrases (e.g., using the third letter of each word in “Mary had a little lamb; its fleece was white as snow” produces “rdatmsesiso”) - and then they forget the rules.

* People sometimes use numerical increments to get around rules preventing password reuse (e.g., fisu3nema, fisu4nema, fisu5nema. . .) thus compromising their next password as soon as the current password is discovered.

* Users often use exactly the same password for everything (their private Web e-mail, their corporate professional e-mail, their DVD-club login, their talking-slug club - everything) with the result that any single password compromise is a potentially complete security compromise.

* Making passwords hard to guess forces many people to write them down.

* Physically recorded passwords get stored in the same places network security auditors have always found them: in desk drawers, under keyboards, under chair seats, in files labeled “C:\passwords.txt”and even in plain view on the back (or front!) of video screens.

* When people do pick hard-to-guess passwords and don’t write them down, they often call the help desk or security administrator to reset them because they forget them, causing a great deal of irritation and wasted time for everyone concerned.

A study published last year by Nucleus Research reported findings on user behavior concerning passwords. To no one’s surprise, the researchers found that “More than a third of employees write down or electronically record their passwords, creating significant vulnerabilities. Even worse, lowering the quantity of passwords, changing password complexity, or changing password change frequency had no impact on employee actions.”

The firm also found that “There was also no correlation between complexity, frequency, and quantity and how often users called the help desk with password-related issues. Seventy percent of enterprise users call the IT help desk once a year for help with a forgotten or missing password; 16% call two to three times a year; 9% call three to five times a year; and 5% call more than five times a year for password help.”

The full report is usually available by subscription only, but the company has very kindly opened it temporarily for use by readers of this column. 

Based on a survey with 325 respondents, efforts at improving password management by ordinary users generally fail. Specifically, the same proportion of users (one out of three) keep a written record of their password regardless of the amount of:
* user education
* password complexity
* security-policy restrictiveness

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.