I frequently see end user policies that contain the following two elements:
- Passwords must be so complex that they cannot be guessed
- Passwords may not be written down
This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only represent a marginal increase in attack resistance. No password can be so strong that it cannot be slurped by malware. Infinitely complex passwords are infinitely impossible to memorize, but they are not substantially more secure. I almost hesitate to further mention that aggressive password aging policies exacerbate the impossibility of memorization. No normal individual can memorize several dozen non-trivial passwords, especially not when quarterly changes are enforced.
Given that we are stuck with passwords, at least for the time being, my advice would be to teach your users how to carefully protect the complex passwords that they have no choice but to use. A useful guideline is to treat written passwords like money.
But the point of today’s rant is not to revisit password policies. Its to encourage some attention on those policy elements that never seem to go away, but cannot be followed. Do not force your people to agree to follow impossible policies—it is counterproductive for multiple reasons. Policies like this are tantamount to saying “You are on your own. We won’t help you, but if you get hacked, we will blame you.”
Choose your policies carefully, and remember that the majority of bad things cannot be prevented just by writing down a rule against it.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.