Friday, May 7, 2010

Don’t Use Strong Passwords

Actually, you should but not always. This rebellious message is aimed at end users but also at any administrator who’s in charge of setting the password requirements for a system. Don’t take me wrong, I am a big fan of security and a defender of privacy. Strong passwords are a good thing – they make it more difficult for someone to guess your password and thus breach your account. Strong passwords require typically a combination of different characters including letters, digits and special characters, minimum length, variation of upper and lower caps, and regular changing.

This is a great idea. That is, until you have to do it for 20-30 different systems. You all have passwords for your work environment – ideally just one since your organization uses single sign-on, right? Yeah, right… And we all have numerous passwords for online services such as banks, brokerages, retirement plans, frequent flyer programs, social networking sites, utilities, retail stores, etc. I like the idea of security provided by strong passwords but how am I supposed to remember them?

Users deal with this in different ways such using the same password for every site or keeping a list of passwords. This, however, introduces much greater security vulnerability than the off-chance that someone will guess your less strong password. You may use specialized encryption software for managing your passwords but that represents a potential single point of major vulnerability and it requires some discipline keeping password lists up to date.

The problem is that many sites and systems require a strong password because of a policy set by an overzealous administrator. Sure, I want to protect really well my bank account in which all my savings could vanish with a single mouse-click (or finger-touch) but the same is not true for my utility bills. There is nothing I can do on the utility’s site except to see and pay my bills and any intruder is welcome to pay it for me. Thus, I don’t need that strong of a password here. Similarly, many shopping sites don’t need a secure password as long as I don’t save my credit card info within said site.

The utility bill could be a privacy issue for some – maybe if I was a politician or a celebrity and I didn’t want the world to see what an energy hog I am. Well, in that case I still have the choice to use a strong password. The bottom line is that administrators should think twice before imposing the need for strong passwords on their users. They should give them the choice. Password strength needs to be adequate to the value of the information it protects and the risk any breach would represent. Weaker – easy to remember - passwords are perfectly appropriate for many applications, especially if they avoid users keeping password lists. The result can be a more secure environment.

No comments:

Post a Comment