The Password is Always “Swordfish”

Posted: 2016-01-06 in soapbox
Tags: , , ,

A couple of years ago, my workplace implemented a new password policy, requiring users to change their passwords every 3 months, not allowing the use of previously used passwords, imposing minimum password lengths, etc. Pretty standard stuff, really, and completely ineffective at actually securing data from unauthorized users.

If you stop to think horse_thiefabout it, most data thieves acquire a password, log into a system, and raid the hard drives of all their worth. Very rarely would they come back to hit the same target again. By the time the 3 month window rolls around and the user changes the password, that thief and the stolen data are long gone. You’ve changed the locks on the stable door after the horses are stolen, and although you may have now prevented your next barn-full of horses from getting taken the same way, your original horses are still out there in someone else’s pasture.

Ok, that analogy starts to fall apart there when you start comparing the various merits of horses and proprietary data, but you get my drift. A silly policy, and one that gets even more frustrating now that my workplace has also set up machines so that the screen-saver comes on after 5 minutes inactivity and requires you to log back in to unlock the system. Not only does this make Netflix watching very difficult (hey, not during work hours!), but those first few days after you change your password, you’re sure to type the wrong (old) one at least seventeen different times before your muscle memory finally gives out and your fingers start to learn the new password.

'This site wants a two-factor authentication. A retina scan and a urine sample.'

A better solution than “changing the locks” every 3 months involves making the login process more difficult to copy by an unauthorized user. Nowadays, experts have pretty much settled on Two-Factor Authentication as the generally accepted best practice for login protection (analogous to having to swipe a key-card and pass a retinal scan to open the lock on the aforementioned stable door). By combining something you have (e.g. key fob, smartphone, etc.) with something you know (e.g. a password), you can prevent others from impersonating you in the event one of the two factors is compromised. If you then make the password strong enough, there’s absolutely no need to regularly change the password, and you can keep the same one indefinitely unless you suspect it may be lost/stolen.

So why won’t my workplace adopt Two-Factor Authentication instead of this silly change-every-3-months policy? Like most initiatives, it comes down to cost and convenience. Two-Factor Authentication requires hardware in the form of tokens or key fobs, along with a server to authenticate against. For those engineers at the company that travel internationally and don’t always have guaranteed internet access, you run the risk of “locking out” these users until they can get back on the net. And of course, if they lose or break their key fob, you can kiss your computer goodbye until the office can drop-ship a replacement to you in the Middle of Nowhere, India, or Unapproachable Except By Pack Mule, Algeria.

All these adoption issues can be solved, of course (and likely have been already). But when your IT folks have to answer to a budget and corporate environment more concerned with meeting the letter of the law than the intent, you end up doing the bare minimum, infuriating all employees in the process. It looks like for the time being, I’m going to be stuck coming up with new passwords every three months for the foreseeable future. Hmm, I wonder if they’ll allow “monkey” or “12345678” for my next super-secure password?


  1. snoringKatZ says:

    Password policies are amazingly dopey. We were on the 60-day cycle until someone somewhere realized how ineffective that was and now I think we’re on a 6-month cycle. Because that’s better!


  2. tom says:

    My company had the same exasperating policy, and I was always at a loss to find something new and not used in the past eighteen months (apparently, hackers only keep records for a year and a half). I found the easiest thing to do was use famous football players plus their jersey number. Elway#7 was perfectly fine, then Bradshaw#12, etc. That kept out simple enough for me, and I could easily remember a football player for a few months. Nice post!

    Liked by 1 person

    • rossruns says:

      That’s a nice idea, I might have to look into something like that to keep from going insane every time I change my password. I did hear a story of one company’s policy that only prevented the use of the last 10 passwords, so one enterprising individual took it upon himself to change his password 10 times in a row in an afternoon, and then changed it back to the original one on the 11th effort. That way he never had to remember a new password, and was good to go for another 3 months. That’s some ingenuity for you right there.


  3. There’s absolutely no need for password security at my job, but they like to pretend that there is. I cannot repeat the same password in six months or so, so I just use a word and 111, then 222 and so on for the main one. Others have not asked me to change them – yet.

    My biggest problem is that we have three different systems, with three different user names, and three different passwords. When I recently returned from 2 weeks off work I had to ask someone, “Am I supposed to log into this with my name or my badge number?” It’s silly.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s