Passwords

Megan McArdle, subbing for Glenn Reynolds, writes of password policies at many large companies:

Many companies require long passwords, number/letter combinations, frequent password changes, unique passwords (you can't ever re-use old passwords), and so forth because these are harder to crack. The problem is, they're also harder to remember. Users who can't reemember their passwords have to write them down. It is, to my mind, substantially less safe to have a user's password written on their computer, or taped in their desk (two favourite tricks I spent a great deal of time discouraging), than to have it be a five-letter word.

I would go even further. The requirement that passwords change on a regular basis makes systems less secure, in my opinion. There are only so many cryptic, hard-to-guess, but memorable passwords I can come up. Sooner or later, forcing me to ditch those good ones periodically will use up the list. When that happens, I will have to start using passwords that are much easier to guess, like simple words.

Which is more secure: a cryptic password that is hard to guess but I can remember that stays forever, or a series of steadily less cryptic passwords? It seems to me, clearly the former. But what do companies want? The latter.

A company's security policy should focus on helping users coming up with something cryptic but still memorable and keeping that password until there is some evidence that it has been cracked. It's positive reinforcement: encourage behavior you want to see, discourage negative behavior.

At a previous employer, this is what they did. The employee was not forced to regularly change their password. But, security had software running that was constantly trying to crack the password, and if they succeeded, you had to change. So if I had a password sufficiently cryptic that cracking software couldn't crack it, the employer effectively encouraged me to keep using it. Only employees with bad passwords had to change, to something harder to crack.

That is a good security policy. It encourages behavior condusive to security and addresses behavior contrary to security, unlike my current employer's policy which forces one eventually to choose poor passwords.