Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

You may not write down unmemorizable passwords

by Jay Heiser  |  April 19, 2012  |  1 Comment

I frequently see end user policies that contain the following two elements:

  • Passwords must be so complex that they cannot be guessed
  • Passwords may not be written down

This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only represent a marginal increase in attack resistance.  No password can be so strong that it cannot be slurped by malware. Infinitely complex passwords are infinitely impossible to memorize, but they are not substantially more secure.  I almost hesitate to further mention that aggressive password aging policies exacerbate the impossibility of memorization.  No normal individual can memorize several dozen non-trivial passwords, especially not when quarterly changes are enforced.

Given that we are stuck with passwords, at least for the time being, my advice would be to teach your users how to carefully protect the complex passwords that they have no choice but to use.  A useful guideline is to treat written passwords like money.

But the point of today’s rant is not to revisit password policies. Its to encourage some attention on those policy elements that never seem to go away, but cannot be followed. Do not force your people to agree to follow impossible policies—it is counterproductive for multiple reasons.  Policies like this are tantamount to saying “You are on your own. We won’t help you, but if you get hacked, we will blame you.”

Choose your policies carefully, and remember that the majority of bad things cannot be prevented just by writing down a rule against it. 

1 Comment »

Category: Policy security     Tags: , , , ,

1 response so far ↓

  • 1 Manasvi Thawani   April 19, 2012 at 1:54 pm

    Great insights, Jay! What are your thoughts on biometric authentication, especially voice authentication, as a substitute/add-on the passwords (multifactor authentication)?