Changing the Password Paradigm

Changing the Password Paradigm
Every ninety days, the CSO at my company forces everyone to change their passwords for email access. If we don’t make the change, we don’t get email. Like any good CSO he requires strong passwords so users must come up with an 8-character minimum phrase with at least one number. I pop that new password into my email program and blackberry and then I forget it for another 90 days. The problem is that in 90 days I need to remember what it was before I can change it again. Like many employees, I take the easy way out and write it down.

The requirement of strong passwords and the requirement to change those strong passwords is now a common feature of IT security. They address two potential vulnerabilities in an IT security system. Strong passwords make it harder to hack into the system by guessing, either manually or using an automated program. Changing the password prevents an authorized user who has compromised a current password from continuing to use it. Unfortunately, these security measures create an even more glaring vulnerability: the password written on the back of the mouse pad, scrawled in a desk drawer or in the back of a filofax. When this happens, your company?s security is only as strong as the hiring process for your office cleaners. Chances are they did not go through a full background check.

Because I work at a company that does a measure of IT security consulting, I take a reasonable number of steps to prevent my password from being discovered. It is not actually written down but stored in my computer?s address book. My computer is password protected with a very strong password (all the bells and whistles ? over ten digits, odd capitalization, numbers and symbols) and the home folder on my computer is encrypted. Since I have control of my computer?s admin functions, I never change the password and have it memorized. Chances are my email password is safe. One of my colleagues goes a step further and only writes down his passwords on his encrypted and password protected computer in a code he has developed. Few people care this much about security and most probably do scrawl their passwords on the back of the mouse pad.

Fixing this problem requires a new paradigm for security, one that takes a holistic or (to use a less soft term) a synoptic view of security. Realizing that hackers manipulating 1s and 0s is not the only way critical data can be compromised is the first step. Physical security still matters and there are tradeoffs to be made between the two. If the last thing you want is a custodian able to find a password and gain access to critical data by flipping over the mouse pad, don?t set the bar so high for memorizing it. ?Cathy123? is exponentially stronger than ?zyG0te 17!#flame? if the latter can be found by rummaging around a cubicle. If someone has compromised a password, changing it within the next ninety days is a fairly crude form of security. There are others on the market that deal with this threat much more intelligently. If the cost or difficulty of employing them is too high, balancing suggests that keeping passwords securely stored in human memory will reduce the risk of unauthorized access more than frequently changing them.