Monday, June 23, 2008

Password (mis)management

Companies are using password policy managers (software! not people) extensively to safegaurd users from password leaks.

However, I believe that these software’s are not serving the purpose at all!
Just take a look at the rules which need to be applied for making a password 'uncrackable'!(The following password policy is actually in place in a lot of companies!)

Password requirement
1.Minimum Password Length - 8 characters (Compulsory)
2.Maximum Length – (no limit defined)
3.Passwords should contain all the following four types of characters:
a.English Lowercase (a to z)
b.English Uppercase (A to Z)
3.Numbers (0 to 9)
4.Special characters such as!@#$ %^&*(){} []
e.g. !deas1sT (ideas first) – ya that is a password! I hope u can remember something like that!
4.Passwords are case sensitive and the user name or login ID is not case sensitive.
5.Require three number of unique passwords before an old password may be reused.

And to top it all, users are prompted to change the password every month! (sometimes every week also!)

Now, with these “simple” rules in place, it becomes a pain in the ass to devise a password (try to make one based on the rules and you would spend more than 10 minutes figuring out the errors it keeps throwing!!)

So the easiest option available to users is – Retaining the default password! And just imagine when every user in the company does that!!! You have a scenario of ‘one password for all’ defeating the whole purpose of a “safe and secure” password.

Yes, now you would think that the users would definitely make an effort when the system prompts them to change the password. The answer is NO..Never! They get away by adding a suffix or a prefix to the default password (no prizes for guessing the suffix or prefix here!!!).

However, this doesn’t mean that there are no intelligent users. But I am sure these users would be a minuscule population. The larger question is the sustainability of such password policies in corporate circles. I simply don't understand the need for such policies, when on the other hand we have the google, microsoft and yahoo's of the world mangaing it pretty well with simple password rules.

Posted by Team M&A at 10:19 PM

Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)