I’ve reviewed three different policies so far this month, all of which contained the a similar requirement that users not write down their password. How counterproductive is that?
It is impossible to impose any level of password complexity and regular expiration, without expecting that the password holders write the things down for reference at least until they’ve memorized the new password. Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.
One thing that I have not seen popping up in security policy is a requirement that users not use the same password for the multiple unsynchronized systems that are inevitable within an organization of any size. Including work-related eZines and a memory stick that disappeared years ago, I’ve got 30 different Gartner ’accounts’ and passwords stored in my personal password database. That database has over 200 secret authentication strings stored in it, which leads to the point of today’s blog, that corporate password policies should forbid the use of ‘home’ passwords on corporate systems.
The reuse of passwords across multiple accounts is a well-recognized phenomenon within the security community (even security specialists have stumbled into self-imposed cascading password exploit incidents). Multiple published studies indicate an unfortunately high level of password duplication. While most people intellectually recognize this as the case, I’m not sure how many have fully understood the implications. The use of the same password for multiple accounts represents a single point of failure, in which the (dare I say lazy?) actions of an individual can result in multiple simultaneous failures.
I recognize the impracticality of preventing the shared use of passwords on both personal and employer systems (I won’t suggest that corporate surveillance tools could easily identify the majority of personal passwords, given the number of people who access FaceBook and gmail from work). Even though it cannot be reliably enforced, I see nothing but advantage in encouraging employees to avoid reusing passwords.
PIN and password proliferation is one of the unfortunate and virtually insoluble challenges for the digitally active individual. I try to maintain unque passwords for several hundred systems, and my dependence upon several synchronized copies of an encrypted password store is only one of the several inconveniences, and I am not recommending it. I do recommend that until we have widespread availability of a stronger mechanism that scales to dozens of corporate sites, and hundreds of personal sites, individuals should try to perform a degree of password proliferation.
Enterprise policy writers must recognize that only a small number of humans have photographic memory, and the proliferation of accounts and passwords, and the frequency of changes, dramatically increases the number of random strings that need to be protected. Memorization is impossible. Instead of telling users not to write down their passwords, ask them to treat passwords as carefully as they treat their own money.