How Changing Your Password Sucks


On The True Cost of Expiring Passwords

From “Archon”, a commenter on Bruce Schneier‘s 08/05/2016 blog article “Frequent Password Changes Is a Bad Security Idea” (https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html) —

I work at a company that recently dropped its passwords from 90 days to 60 days. The solution for the people in the 61-90 range? Expire their passwords right now! Can’t have anyone violating security policy!

I told the PHB [1] this was a horrible idea, he did not listen. Now I have 1/3 of 2000 people calling me and very, very angry.

Archon’s anecdote is the real world.  Few people understand, or calculate, the True Cost of expiring passwords. Many sys-admins do.  Business weasels [2] and Dilbert’s pointy-haired manager [1] do not.

Consider this (not so fictional) user’s story:


Joe User (no sexism intended — “Joe” could be “Jo”) comes to work on his/her regular shift, and, as he does every day, turns to his terminal (usually, now-a-days, a terminal emulator on his workstation’s desktop, and could be in a cubicle or on the factory floor, etc.) to log(in/on)/sign(on/in) to his application computer system (Unix, Linux, OpenVMS, mainframe or other).  Note that computer access is essential to his work and job performance.

He enters his…
Username: juser

and…
Password: **********

Bingo-bang!  Computer responds with “Your password has expired!
…and down goes poor Joe into the dreaded Password-Dialogue-From-Hell.

Joe…

* Palms his forehead, raising a welt (this could be sufficient cause to file an accident report).
* Mumbles a profanity at the terminal.  Poor terminal (this also could be grounds for an incident report).
* Stares dumbly at the blinking cursor for some period of time.
* Swears again.
* Pushes his chair back.
* Stands up abruptly, causing his chair to tip over (possibly grounds for another accident report).
* Walks down the hall to the restroom, hoping to think of a new password.
* Returns from the restroom, thinking happily about his crafty new secret password.

* Notes that his terminal has timed-out.  Starts the whole log(in/on)/sign(on/in) process afresh.
* Is confused about whether to enter his old password again in response to the password prompt…
* While he’s thinking about this, his terminal session times-out again.
* Swears…
* Starts over again.
* Still confused, but says “To hell with it…” and enters his old password.
* Gets the “Please enter a new password:” prompt again.
* Has forgotten his crafty new secret password.
* Stares at the terminal for “a long time”…
* Terminal session times-out again.

* Curses… A prim, proper, timid yet politically-correct colleague across the aisle furtively files a formal online complaint against him.
* Starts over again.
* Recovers his train of thought from the restroom trip, and happily enters his crafty new secret password when the system demands “Please enter a new password:“.
* System responds: “That password is found in the proscribed dictionary.  Please enter a new password:
* Says “Huh?!?”
* System times-out again.
* Curses…
* Throws his pencil at the wall…
* P.C. colleague picks up the phone to call the designated HR representative for sexual harassment and workplace violence.

* Starts over again.
* “Please enter a new password:
* Types in the first thing that occurs to him.
* System responds: “Password is too easy to guess. Please enter another string.
* “…another string??!!! I thought this was a password thing…” Another profanity.
* System is really slow, so he has time to think up yet-another-password.
* Enters his new-new password when prompted “Please enter a new password:
* System responds: “The entered password does not meet complexity requirements.  Please enter a new password:
* Curses…
* Swears…
* Enters his new-new password when prompted “Please enter a new password:
* System responds: “Passwords may not contain profanity. If you persist, your violations will be reported.  Please enter a new password:
* Curses…
* Slams keyboard on desk…
* P.C. colleague calls the cops; a SWAT team is dispatched, but cannot get past the building entrance security guards.

* Calms down a bit when his PHB-Supervisor walks over to see what’s wrong.
* Takes deep breaths and explains his problem.
* PHB-Supervisor advises him to call the Help Desk.
* Calls Help Desk, listens to nine minutes of Karen Carpenter’s “Close To You”… mutters a counterpoint of profanities under his breath.
* “Hello, this is Roger in Kansas City, how can I help you?” (in reality, Rajesh in Bombay; he can tell from the accent).
* Explains his problem.  “Roger” doesn’t get it, and tells him to “Please to reboot your PC.”
* Swears… “Roger” doesn’t get that either.
* Calms down… Tries to patiently explain to “Roger” that he needs help to reset his password.
* “Roger” finally asks him “Which system?” Joe explains carefully and slowly. When “Roger” finally understands that the system in question is an applications system and “Ohhh… this is not Windows, no?…”, explains that he cannot help. “But, I can please help you to reboot your Windows whenever is best convenient for you, no?”
* Curses… Swears… Slams phone… Verging on hyperventilation… et cetera…
* P.C. colleague is now hiding under desk, quietly praying agnostically.

* PHB-Supervisor swings by again, observing the obvious that the Help Desk is really for Windows-only problems, and advises that Joe really should call the application system’s administrator, helpfully providing the phone number.
* Calls system administrator.
* Gets voice mail: “Hey, this is Hal, leave me a message, I might get back to you. Heh-heh.”
* Leaves voice mail, peppered with profanity.
* Gets up and goes to coffee room.  Spends an hour telling colleagues about his problems, including the password expired problem.

* Gets call-back from Hal, the Sys-admin, who patiently explains the password policy.  “All passwords must exceed eight characters, but not thirty-two characters, and must contain mixed-case letters, at least three numeric digits, exactly two special characters, at least one emoji, with bonus points for using porpoise noises or an approved Ameslan sign language dialect.”
* Listens silently, while his eyeballs spin in counter-directions.
* Asks: “Would Xyzzy&796%fooBar” be an acceptable password.  Hal says: “Yes, it would, except it lacks porpoise sounds, and you cannot use it because you’ve told me what it is. If you use it, we’d have to shoot you.  Heh-heh.”
* Joe: grimaces.
* “Ya know,” Hal goes on, “I volunteered to join the Security Policy Committee, just to try to keep things from gettin’ out-a-hand, ya know. Heh-heh.”
* “Yeah, right,” Joe mutters.
* Hal doesn’t seem to notice, continues: “One gal on the committee, she heard somewhere that — get this — she says it with a straight face: ‘The most secure computer system is one that’s unplugged and put in a Faraday cage, encased in concrete, and then dumped into the Marianas Trench.’ She’s dead serious! She does allow as that might be goin’ too far for our own company systems. But then she asks: ‘Why don’t we unplug ours and just run them on batteries?’  See whad’I mean?…”
* Joe: “You’re kidding me, right?”
* Hal: “Nope.  I’m tellin’ ya.  Y’all are lucky I’m on the Committee. ‘S’a matter of fact, I’m authorized to make you a special one-time offer, bein’ as you’re updating your password today’n all.”
* Joe: “A deal. Okay, I’ll bite.  What deal?”
* Hal: “Well, the Committee’s fixin’ to release an updated Policy next week, and that’n will make passwords expire weekly.”
* Joe, incredulous: “What?! Wait, man… Hell, we’ll never get logged in to get any work done!”
* Hal: “Yah, that’s been discussed as a possible revenue issue, but the way the Committee figures it, if we can get to the point where nobody can login, we’ll likely get a Full Compliance Security Rating in our next SOX Audit. The CTO and the Corporate Attorney say that they like it, and they say if’n we get there, they’ll release our daughters.”
* Joe:  “Wait…what?! Daughters? Who’s daughters?”
* Hal: “It was a condition for joining the Policy Committee. They’re holding our girls as hostage… er, in escrow, as an inducement to getting all our internal systems all into compliance. They’re all stayin’ in a dormitory over at the Convent, the Sisters of Perpetual Expiration. I hear they’re doin’ pretty good, the nuns have them workin’ as human computers on a project to simulate breaking something called Enigma, whatever that is. Seem to be enjoyin’ it; last time I talked to Sammi, they were all callin’ themselves ‘the P.C.s’.”
* Joe: “Um, is this okay with you?”
* Hal: “Oh, yeah, sure. Heh-heh. Every team needs a bit of motivational inspiration every now and then, ‘n it’s been a lot quieter around the house. The Board of Directors has promised us that if we get to full compliance before Christmas this year, they’ll even give us our year-end bonuses!”
* Joe: Doesn’t know quite what to say…
* Hal: “Hey, I almost forgot! Back to your deal! Since your password expired today, I’m authorized to make you this one-time limited offer: If you actually manage to get your password reset today by close of business, you’ll be automatically grandfathered into the 30-day password expiration cycle for the rest of the year, rather than gettin’ pulled into the new 7-day limit.”
* Joe: “So, if I don’t get my password changed today, I’m gonna have to do this every week?”
* Hal: “Yup, that’s right.”
* Joe: “Hell, man, this is messed up. What if I don’t?”
* Hal: “Which what? Don’t get it changed today, or don’t like changin’ it weekly?”
* Joe: “Well, either one?”
* Hal: “Well, then that’d be a violation. We’d have to shoot you. Heh-heh.”
* Joe: “C’mon, man, get serious. I mean, look… What if I just stay logged-on, never log-off, and just throw a blanket over my terminal so no-one can tell?”
* Hal: “Well, then that’d be a violation. We’d have to kill you.”
* Joe: “You’re jokin’ again, right?”
* Hal: “Nope, not this time. But fortunately, we’re installin’ Cisco’s new Enterprise Inactive Process Crusher to monitor and terminate violatin’ interactive sessions like yours. It’ll kill your session whenever you go to lunch, or to the restroom, at shift-end, and every time you stop typing stuff for more than 90 seconds. If you don’t get your password reset today, you’ll likely never logon again.” Cackles gleefully to himself.
* Joe: Sighs… Says “Thanks for the help, man…” and hangs up.

* Thus forewarned, prepared and comprehending (not really), thinks hard about his trusty old password, remembers that it’s got a “4” in it, decides to change the “4” into a “5” and hope for the best…
* Starts over…
* This time, when prompted “Please enter a new password:“, enters his old password with the “5” substituted for the “4”, hits the Enter key and prays.
* System responds: “Please enter a new password:
* “Yes!”  Overjoyed, enters his new-new-new password, but — as old habits die hard — with the “4”…
* System responds: “Passwords do not match.  Please enter a new password:
* Swears, et cetera…
* P.C. colleague is crawling on belly towards the nearest exit. Much shouting can be heard from the vicinity of the building entrance.

* … “Please enter a new password:
* Enters his new-new-new password with the “5”…
* “Please confirm the new password:
* Using only two index fingers, carefully and slowly starts typing his new-new-new password again…
* Before he’s done, system responds with “Time-out expired.
* Tears come to Joe’s eyes.
* To no-one in particular, shouts “If this doesn’t work this time, I’m gonna…”
* Starts over, one last time…
* “Please enter a new password:
* Enters his new-new-new password with the “5”…
* “Please confirm the new password:
* A bit more quickly, but still with two index fingers, types his new-new-new password again, sounding it out silently, and remembering to use the “5” instead of the “4”.
* System hesitates, then responds: … “Password has been changed successfully.
* Erupts from his chair with shouts of triumph.
* P.C. colleague bolts for the door… Emerges running into the parking lot, where the SWAT team takes careful aim…
* Joe immediately writes his new-new-new password onto a Post-It Note with a red Sharpie, and tapes it to his workstation’s screen in the upper-right corner. Uses duct-tape on all four edges so it won’t blow away.
* Finally gets to work… but is a basketcase for the rest of the day.

* Later that afternoon, receives an email from “the Corporate Security Team” stating that: “Data security is critical to FooBar Corporation. For this reason, we required that any and all passwords be changed periodically. Due to our improved security policy, your network access password will expire in 7 days. Failure to update your network password within this timeframe will result in loss of network access, plus a mandatory remedial system security retraining class which must be completed no later than 30 days from the date of the infraction.
* Joe is forcibly restrained and removed from the premises by building security. After a fifteen day stay in the Mental Rehab Center across the street from the Sisters of Perpetual Expiration Convent, he shakily returns to work.

* …30 days later…


I’ll examine the true cost of the corporate “Password Expiration Security Policy” in a future post.


[1] Wikipedia article: https://en.wikipedia.org/wiki/Pointy-haired_Boss; see also https://en.wikipedia.org/wiki/Dilbert and http://dilbert.com/.

[2]  Thanks to my colleague Swift for the use of the phrase “business weasels”, referring to  MBAs, mid- to upper-managers (usually non-technical), and corporate attorneys.

Advertisements
This entry was posted in Computer Security, Technology and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s