There’s this website I have to access occasionally for work, but the account password expires after a fixed period of time (a few months).
Fair enough. For security reasons, passwords should be changed periodically. Having them expire is a straightforward method to force users to comply with this policy. You log in, receive a notification that your password has expired, enter your old password once, your new password twice, and voila, your password is changed. All that's left to do is write it down on a sticky note and affix it to the front of your monitor.
The problem I’ve had with the way passwords expire for this particular account is that there’s no indication that the password has expired. If my password doesn’t work, I have no idea whether I just mistyped my password or it’s actually expired. As a result, if I enter the previously valid password too many times, I’m locked out of the account. Again there's no indication that this has happened. Wrong password. Expired password. Too many attempts. Bzzzzt! Try again. Fail.
What a great idea: a password policy that’s completely opaque to the people forced to use it. To change your password, you actually have to visit a separate website and, of course, none of the websites where you use your password link to it.
If you haven’t figured out yet where I’m heading with this story, it’s that I’ve been locked out of this account more than once. When that happens, I have to call the help desk to have my password reset.
Given the hostile design of the login process, I half expected my reset password to be a long string of Ms and Ns, all recited to me over a bad phone connection. Sorry, for security reasons, we can’t email it to you.
Fortunately it was surprisingly user friendly, but I immediately recognized the new password as one I was given previously: the six character company name plus three sequential digits.
The new password worked on the first try, but I wasn't forced to immediately change it, so it was obviously not temporary. That seems like a big pile of security stupid, but it’s their policy, so whatever. To my credit, I immediately headed over to the site I bookmarked to change it, but that option was nowhere to be found.
So now I have a password that’s easy to remember.
Security theater, adopting an ineffective or poorly implemented policy just to have a policy is worse than no policy at all; it consumes resources that could be more effectively allocated and gives a false belief that risk has been reduced.
Put more succinctly, the only security worse than no security is false security.
No comments:
Post a Comment