Tuesday, June 30, 2009

False Security

I don't know exactly know why, but the only logical reason I can think of as a justification of having to change my password on my company computer every couple of months is so that in the rare case that I leave the company I can't access the computers after a couple of months.

They (the IT guys) tout this measure as added security but I believe that my passwords are now less secure. Why? Well because I was able to remember them, but after so many changes I can't think of anything else that I know I will be able to remember after a weekend. So what do I do? That's right, sticky note next to the computer. Anyone at my desk can now find my password by just looking, not by guessing like that had too before. This is far less secure.

However there is even a more sinister security hole that is made with frequent password changes that require many types of characters -they appear to be strong words when in fact they will be very predictable.

For example, a typical password choice might be: 12#$TY . Seems pretty secure right? I doubt it is, and I bet it is on the short list for password crackers. Why? Because the password is just 1234ty, with shift being held down for the 34ty part. It is easy to type, easy to remember, and satisfies the three types of characters requirement.

So are our computers any safer now that we have to have complicated passwords that rotate every so often. I doubt it; determined hackers will easily be able to find patterns in the passwords or physical evidence of passwords. However, is it a pain in the butt to have to keep coming up with new passwords?



hockeyfrog said...

... your IT dept doesn't then change the password of a departed employee as they leave?

That doesn't seem all that secure either.

The Gare Bear said...

I say why make a hacker sweat. Just make your passwords something sequential as you are forced to change, that way you can remember which version you are on, and the hacker has an easy pattern to follow. You know any good hacker can get in eventually anyway, so what's the big deal. Now, if we had the death penalty for hacking, that may deter someone eventually. Really, what crime could be more insidious than stealing identities, and other very private information. But then, who said anything is private any more?

The Gare Bear said...

I'll bet someone, somewhere, knows something about me that I don't even know.

Callie said...

Let me see - I have to change my passwords every 30 to 45 days, depending on which system I'm using. Currently, I have 6 username and password combinations for work. Very few of them can I use the same username/password, as they all have different naming conventions and rules. Very fun to keep up with. And people wonder why I can't remember their names. Cripe - I'm too busy trying to remember all the combinations to get into my computer!

Anonymous said...

the password changing isn't in case you leave the company, IT can remove your login credentials for that and block you even if you have access to the server from your home.

the password protection is more for outside threats and to prevent anyone else getting on your machine and having a field day with your user access.

it's a major pain, i agree but i would just rotate three or four similar passwords. i just read something on that a few months ago, making passwords easier but i don't know where it was.

i used to work in IT and when someone is let go, it's immediately emailed to the system coordinator and the user name is removed from the access list.

Nej said...

I've gone as far as using things on my desk for inspiration.



:-) :-)