Thursday, August 5, 2010

Why Passwords Don't Work

... or at least, why I can't imagine how they could work.  I'm talking about passwords in the workplace, as used by the typical American technoprole.  You have half a dozen different things to log into, minimum.  They all require different password formats, and they make you change your password on different cycles. So don't even think about happening upon some total abstraction that you can reliably memorize - it'll change soon enough and not be applicable to more than one ap over the long term.  You'll have to make up passwords on a pattern.  And don't even think about using similar passwords to meet different needs - does the payroll software require numbers (so I should use password123)?  Or does it require "special" (shift-number) characters (so I should use password!@#)?  By the time you figure it out you'll be locked out of the ap, on phone with tech support in a different city, watching your company's productivity bleed out.

It goes without saying that it is harder for an individual to remember password!@#1 than it is to remember Jenny57EvergreenPlaceSpringfieldIL.  But let's imagine the latter doesn't refer to the user's current home address, but rather, their ex-girlfriend's address from 1997.

Hard for the hacker to guess, right?  Yes, much harder than password!@#1, but that would be allowed anywhere.  A name-and-address would be rejected due to its lack of shift-number characters.  Putting an ampersand in there would make it harder to remember - best to just write the password down somewhere.

That's right, we have a system which makes your password invisible when you enter it, to protect it from being seen by a coworker watching over your shoulder when you enter it.  Writing it down, which the system encourages even though it may be banned, allows your password to be stolen by a coworker looking over your shoulder at any time, or visiting your desk when you're not there.

Computer security - starting with case-sensitive passwords - is ultimately self-defeating.  The key would have been to make up a single all-ap regimen for passwords: case-insensitive, with at least two numbers and a non-word alpha string of at least three characters.  Require everyone to change all passwords once a month on their hire date.  Allow no software to depart from this protocol, and punish an employee for writing down their password.


Genius said...

I gave up some time ago and outsourced my password memory to a program called 1Password. I still need a password to sign into the computer and another for the program itself, but it integrates well enough with my browsers, so I'm able to let it pick these intensely awesome 50-letter/digit/symbol long passwords that will never be cracked.

B Lode said...

Hmm, I've never heard of such a program. I'll look it up, but I doubt they'll allow it at my workplace. Those conservative rascals.