August 08, 2005

THE PERILS OF PERSNICKETY PASSWORDS I just reserved a campsite for Labor Day at Reserve America, which has taken password requirements to new heights: eight characters, instead of the standard six, with a requirement that two of those characters be numbers. This for a website that allows you to reserve campsites in state parks.

Before I was a journalist, I used to design and build networks for financial firms, and I was a conscientious objector in the password arms race. Many companies require long passwords, number/letter combinations, frequent password changes, unique passwords (you can't ever re-use old passwords), and so forth because these are harder to crack. The problem is, they're also harder to remember. Users who can't reemember their passwords have to write them down. It is, to my mind, substantially less safe to have a user's password written on their computer, or taped in their desk (two favourite tricks I spent a great deal of time discouraging), than to have it be a five-letter word. Good security should worry at least as much about internal users gaining unauthorised access (to view confidential data or cover up illicit activity by confusing the audit trail with another user's account) as they should be about hackers who, frankly, generally aren't all that interested in breaking into the assistant payroll clerk's computer. What they want is administrator access, and if your tech employees can't be trusted to devise secure passwords without the computer forcing them on everyone else in the company, well, then, you should fire your network staff and hire someone competent.

The technology world is full of these sorts of things: ideas which, in theory, make everything wonderfully secure, but which make things much less secure when implemented with plain old human beings, instead of the flawless automata that so many security theorists seem to imagine. If you're interested in how to actually make security good, check out Bruce Schneier's site.

Update A professional takes the opposite view.