Most companies have some form of policy on passwords. The rules go back more than a decade and are repeated as “best practices” with little or no variation to account for different circumstances, different cultures or emerging technologies:
* Don’t write it down
* Make it long, complex and not a word
* Don’t save it in browsers
The vast majority of security systems are still dependent on this weakest of solutions — the username/password pair. In a world with road warriors, ubiquitous network access, keyloggers and trojans, does this approach even make sense? Can we still depend on username/password and if so do the rules above still apply? I would answer “no” to both questions.
Let’s face it: password based security was obsolete the moment the first keylogger was built. Between hardware keyloggers, software keyloggers, trojans and shoulder surfing, the whole idea of keeping a “secret word” is ridiculous. Companies would be well advised to scrap username/password security in favor of multi-factor authentication as prices drop and the technologies become easier to use. In the meantime, we have to re-visit the “rules” and figure out if they make sense.
Don’t write it down. At our company, writing passwords down is not prohibited. All the employees at Nemertes Research work from a home office. They are allowed to keep passwords written down in a locked drawer as long as those passwords never leave their premises. By writing passwords down our users can have bigger/longer passwords without forgetting them and are less likely to pick their dog’s name as the password. By putting them in a locked drawer, we’re using “felony breaking and entering” as the deterrent and physical security as the control.
Make it long and complex. If your machine has a keylogger on it, what is more likely to draw attention? Accessing a bank Web site followed by “m7ruxM0Ipw7B” or one followed by “Joe, I’m running late for the meeting, start without me! Andreas”. Keyloggers are the biggest risk for endpoint security. A random password is not only noticeable by someone browsing through a key log, it can even be detected automatically (using statistics or a dictionary to filter out all natural language). Maybe it’s time to use innocuous phrases?
Don’t save it in browsers. This rule is probably one of the most harmful. If the biggest threat is a keylogger, then the worst thing you can do is to keep typing your passwords. If you can instead save them in the browser or store them in a password vault (one that has a secure clipboard function), you will avoid typing them. I use a very long master password for my browser’s keystore and then save all my passwords.
Bottom line: The “absolute” security of the password matters less than the “applied” security of the password once you consider all the threats and use patterns. Sometimes you have to come up with new rules to address new threats and changing work patterns, even if that means getting flamed for challenging the “rules”.