Password Expiration Insanity
My password to a significant NIH funded program, whose program name shall be veiled so that I can rant without repent, is required to change every 60 days. Participation in the program is meant to stimulate collaboration and the spreading of goodwill among other goodwill spreaders, but its password management policies make me want to leap out my office window. Rather than doing that and creating a traffic jam on East Huron Street below, I’ll choose not to reset my password and thus end my collaboration in the program. Truth is, I have no fantasies that lack of participation will at all be noticed, but it gives me some sense of rebellious satisfaction to poke at that windmill anyway.
If anyone should be conservative about password management and reset frequency, you’d think it would be me. I was soaked in the waters of information security from the beginning of my career as an information systems officer for the Air Force in the Strategic Air Command. SAC’s motto was, “To err is human, but to forgive is not SAC policy.” Later, as civilian hired spooks for the National Security Agency, our team was responsible for dreaming dreams of every bizarre kind to hack into the command and control systems of the US nuclear weapons arsenal. One night, just to prove a point, we hacked the Joint Chiefs of Staff Alerting Network (JCSAN) from a payphone at Gilmore Lake Tavern in Bellevue, Nebraska and handed the phone to one of the waitresses. NSA renewed our contract. Everything professionally since those days has been pretty boring, frankly.
My point is: Password expiration frequency has almost nothing to do with greater security. The greater the frequency of change, the more likely people are going to store their passwords in non-secure ways, like sticky notes on their desks, or share passwords. We (IT and Informatics types) are driving our physicians and operations staff insane with password changes, and for no good reason, other than everyone else does it so therefore it must be a best practice. Caution: The best practice in front of you is actually the backend of a lemming.
The essential tenants to password management and effectiveness are, in order of importance:
· Account Activation and Termination: Clearly verifying and authenticating user identity and access rights is fundamental, as Yahoo discovered with Sarah Palin’s email account. Likewise, rapid and effective means for terminating accounts and resetting passwords is mandatory. This frequently boils down to an issue of simple coordination with Human Resources.
· Complexity: No brainer. Secure passwords should be a mixture of letters, spaces, special characters, case, and at least six characters long; preferably eight. Force your users to use a complex password, but then let them keep it forever and use it everywhere. And for gawd sake, change the default system passwords that come with installation of everything from software to network switches. “CHANGEONINSTALL” is pretty easy to hack.
· Limited Try Lockout: After five or six failed attempts, lock the account and force an alternate secure path to reset it. This is not to be confused with Limited Try Timeout, which expires a countdown timer between failed attempts to login. A timeout is better than nothing, but not nearly as effective as a full lockout.
· Auditing: Proactive audits of system logs, intrusion detection systems, and access control logs are a must. If your Security Managers aren’t checking and auditing for odd activity every morning, right after they brush their teeth, they should stop brushing their teeth and the check audit logs, first. Or... maybe they should brush their teeth with the audit logs…. Brilliant!
Put high frequency password expiration where it belongs-- in the backend of a lemming-- not on the backs of your physicians, nurses, and support staff.