Tuesday, 13 April 2010

Must Read for So-called Security Consultants

Does your company make you change your password on a regular basis?   Do they track your passwords to ensure you don't reuse any you've used before?  Are you so tired of changing passwords that your password is actually quite basic and you just increment it by 1 every time you are forced to change it? (e.g. from Catelli, to Catelli1 to Catelli2 etc.)

You're not alone.

I was tasked with formulating a new password policy for our organisation.  My final policy was recommending password changes of once per year.  The only reason why I wanted any expiry at all was to catch accounts that were no longer in use.  This policy would allow me to run a quick report of all accounts with expired passwords that had not been reset.  These accounts could then be disabled.

Through my research I had come to the conclusion that there is near zero security benefit to frequently changing your password.  It is much better to encourage a user to choose a strong password once, and let them remember it.   If changing a password, a virtual key, is essential for security how come businesses never change locks on the doors?  Of homeowners changing the locks on their homes?   Security access is security access, whether physical or digital.  If passwords must be changed every 3 months, than the locks on doors allowing access to the building should be changed every 3 months.

My proposal was sent to an external "security consultant" firm for review.  Against my objections.  I knew what would happen.

"It is our view that all users should change their passwords every 3 months."

No reason given.  Just standard boilerplate response.  You'd swear it was the output from a computer program.

So I lost that battle.

Today, I was vindicated!

Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time.

Hah! Of course management is not often swayed by facts, but the facts are on my side. That's something at least.

No comments: