Why you shouldn't change your password

I was looking around some self-proclaimed non-profit technology websites and I saw something that both caught my attention and concerned me.  There were a lot of articles saying to enforce policies of frequently changing passwords.  I was almost shocked by this.  Most whom have maintained sensitive informaiton for a prolonged period of time have realized that the only tihng this accomplishes is getting people to write down their passwords which is the biggest risk to sensitive information.  Anyone who remembers the movie Wargames knows of the perils of writing down passwords.  This is an old idea from times when most who worked with computers weren't used to them at all.  A time that is mostly gone now as most people have not just one, but multiple online accounts for a myriad of things from banking to email to facebook.  It's also from a time when computer usage and even computers themselves were different. 

When you're changing your password is when you're the most vulnerable.  Most simply include a number that increments with each password change.  Others follow a theme for which once the theme is known, guessing alternatives usually becomes much easier.  And many share accounts to things.  Which means that when they change their password, they have to tell others.  They do this by anything from Emails to IM's to writing it down on a post-it note and handing it off.  All of which are risky procedures.  Sometimes, IT people will even tell them what the password should be.  This usually means the password was generated by a random password generator making it that much harder to remember.  But you want passwords to be easy to remember, just not easy to guess.   Using something that fits into the environment usually works best.  I know of a doctor's office that uses fake social security numbers as passwords.  People can learn a social security number and having one written down in a doctor's office somewhere isn't that unusual and would mostly go unnoticed.  It's not necessarily the best option, but I give them credit for being creative about it.  Another one that I saw that impressed me was an office that used phone numbers.  Fake phone numbers, of course, but phone numbers are something that people can learn because they routinely do.  And best yet, you can put an entry in your cell phone or rolodex for a fake name with the phone number password.  Then you just have to remember the name to look up. Neither changes their passwords often because there's really no need to.  Even if the information source fell into enemy hands, there's no clear indication that the informaiton is there.  And even if the person does know that the information is there somewhere, once it goes missing, you know it needs changed.  When a compromise is believed or known, that is the time to change passwords.

Today, the threats come in the form of keyloggers and packet sniffing on networks and even reading your keyboard remotely through either key loggers in your keyboard's firmware (yes, even your keyboard has a processor - and some can be reprogrammed these days) or even by reading the frequency interference generated by pressing the key on a keyboard.  With these sorts of attacks, changing passwords daily wouldn't matter because they could just get it again.   All you're doing is making it easier for them to find it because they know the chance of it being written down or stored somewhere increases with each change. 

Rather than forcing frequent password changes, it's best to accept 2 things.  1) Your security efforts are only as strong as your weakest link.  2) Someone can get in.  So rather than forcing people into the discomfort of having to try to keep track of a revolving door of passwords, instead, adopt a policy of acceptance and usability.  Encourage them to come forward if they think their password may have been compromised.  Make sure that getting people appropriate access to things is easy so that they don't have to either share accounts intentionally or share accounts because it's too much of a problem to get access to something they need.  Monitor their usage.  If someone whom never accesses the network from outside of the office suddenly starts routinely doing so, be proactive and check with them ASAP to make sure it's them.  All of the work done on one side of the equation doesn't lessen the need for the work on the other side.  So why waste so much resources on the weaker side of the equation? 

What most organizations don't tend to realize is that even a small one needs a good  IT staff.  The lack of resources to have one doesn't preclude the need.  You're hedging on the likelihood of there being a problem.  It's like the various types of home owners insurance.  If you live in a place that has never had an earthquake, you likely won't have earthquake insurance.  That doesn't mean you won't wish that you did if an earthquake happened to hit.  This is also why it's important to listen to your IT people and ensure that their concerns are taken seriously rather than undermined.  This is why a good relationship between whatever IT support system you do have and the users is important.  If  you look at each other as just someone to blame if there's a problem, then rather than a solution to the problem, all you'll wind up with is someone to blame.  And having someone to blame while your information is bleeding out of your organization isn't as great a consolation as it may initially seem. 

Ultimately and unfortunately, what makes your company safer is making someone else the easier target.  If you develop a pattern and someone discerns that pattern, then you've lost the battle.

Posted by Ryan Yetter on August 07, 2009 at 07:49 pm EST

Copyright © Antharia. All rights reserved.
No part of this blog may be reproduced without prior written permission.