Why passwords are passé

* Passwords are a lousy way to authenticate

I have long argued that passwords are a terrible way of authenticating identity.

Here's why:

* Many well-meaning but unaware people choose really stupid, easy-to-guess passwords such as the names of people important to them (or favorite sports teams, or the product whose billboard is visible from their office window, or the names of objects on their desk).

* Good passwords increase the keyspace not only by being longer but also by using upper- and lowercase letters, numbers and special characters - resulting in monstrosities such as “j3q(K8bX_*5” – and let’s not even think about allowing “O” and “0” in the character set.

* Some users generate their passwords using funny rules such as using particular letters from the words in phrases (e.g., using the third letter of each word in “Mary had a little lamb; its fleece was white as snow” produces “rdatmsesiso”) - and then they forget the rules.

* People sometimes use numerical increments to get around rules preventing password reuse (e.g., fisu3nema, fisu4nema, fisu5nema. . .) thus compromising their next password as soon as the current password is discovered.

* Users often use exactly the same password for everything (their private Web e-mail, their corporate professional e-mail, their DVD-club login, their talking-slug club - everything) with the result that any single password compromise is a potentially complete security compromise.

* Making passwords hard to guess forces many people to write them down.

* Physically recorded passwords get stored in the same places network security auditors have always found them: in desk drawers, under keyboards, under chair seats, in files labeled “C:\passwords.txt”and even in plain view on the back (or front!) of video screens.

* When people do pick hard-to-guess passwords and don’t write them down, they often call the help desk or security administrator to reset them because they forget them, causing a great deal of irritation and wasted time for everyone concerned.

A study published last year by Nucleus Research reported findings on user behavior concerning passwords. To no one’s surprise, the researchers found that “More than a third of employees write down or electronically record their passwords, creating significant vulnerabilities. Even worse, lowering the quantity of passwords, changing password complexity, or changing password change frequency had no impact on employee actions.”

The firm also found that “There was also no correlation between complexity, frequency, and quantity and how often users called the help desk with password-related issues. Seventy percent of enterprise users call the IT help desk once a year for help with a forgotten or missing password; 16% call two to three times a year; 9% call three to five times a year; and 5% call more than five times a year for password help.”

The full report is usually available by subscription only, but the company has very kindly opened it temporarily for use by readers of this column. 

Based on a survey with 325 respondents, efforts at improving password management by ordinary users generally fail. Specifically, the same proportion of users (one out of three) keep a written record of their password regardless of the amount of:

* user education

* password complexity

* security-policy restrictiveness

In my next column, I’ll look at how these findings relate to what cognitive psychologists know about our capacity to understand risk.

Nucleus Research is an IT-related research organization that takes a unique investigative approach to its research and helps end-user organizations assess the value realized from technology acquisitions. To learn more, please visit its Web site. http://www.NucleusResearch.com My thanks to the company for opening its proprietary research report to readers. (I have no financial relationship whatever with Nucleus Research.)

Learn more about this topic


Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022