Is it just unreasonable to ask people to remember complex passwords?

I’ve thought for while that increasing password complexity is actually a threat to security, rather than a help. The perceived wisdom employed is that passwords requiring capital letters, numbers and symbols in various combinations and quantities increases the password diversity and thereby the security of a system.

Speaking as someone who has just changed his system password (and left it until the system got irritable about it and forced me to do so), I have to say it’s a total pain in the backside. I get why we need to do it, and the rationale is sound. But it took me four attempts to come up with something I could remember and that the accursed machine would accept. Obviously ‘PASSword1234!!!’ isn’t acceptable, and I don’t have a dog so I can’t use ‘B1ng0!!!’. I’m too self conscious to use something really sweary, so ‘B0110xhaha!’ is out of the question.

I came up with something eventually, but given the number of user IDs and passwords now required across the web, it’s really quite tough. And let’s be honest, can we be surprised when we find Post It notes stuck onto machines in offices? It’s even worse in IL3 environments and above, and brutally, it’s got to a point where we need to rethink this.

The old adage is that there is a line, with security at one end, and usability at the other:

Security ————————————————————————————– Usability

and the trick is to try and pick a point that is appropriate for the system you are logging into. Got an IL5 system? Then it is very secure and to hell with the usability. The problem is that as LulzSec et al keep battering systems, the point moves away from usability for even IL0 systems. And the user, often just desperate to login and get on with their day tries to make the login as easy as possible. And who can blame them? Personal accountability yes, but seriously, I have this report to do, forms to complete and meetings to attend. Where’s that scrap of paper with the login on it? There …. right, done ….. crack on …..

My bank requires a combination of personal details, plus a 2FA (two factor authentication) via what looks like an RSA token with a keypad. It takes maybe another 15 seconds to login, but the requirements for multiple short sets of data, personal to me, PLUS a 2 x 4 random number sequence strikes me as secure.

Ultra secure systems aside, maybe it’s time we realised that by making matters too complex, we are in fact reducing rather than increasing security. I think it’s time for a new approach.


About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Cyber, Government ICT strategy, Govt ICT Strategy, Information Security, InfoSec, Password Security, Security, Sophos. Bookmark the permalink.

One Response to Is it just unreasonable to ask people to remember complex passwords?

  1. Graeme, you are completely right. But there’s another thing. The more complex the authentication architecture, the more it costs to fix when it eventually gets compromised. In other words, passwords are easier to reset than fingerprints or retinas. So my new approach is to make complex passwords more fun and memorable.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s