My bank forced me to modify the login password again; they promise it’s a computerized procedure that happens every 3 months, nevertheless i know that it really waits to me to remember the password then immediately forces me to switch it.
As I went into change it, I was reminded with the draconian rules: it should be a minimum of 6 characters, with at the least 2 numbers and at least 2 uppercase and 2 lowercase. These people went to the ‘security by obstruction’ school, without doubt.
I made a decision to combat back. When I finally got around to remembering this awkward strange password I had to select 3 months ago, I decided I’m staying by using it. So I changed it to something else, which I needed to write on an item of paper for the fear of forgetting within half a minute (should you saw memento, that movie is focused on me. And So I try to always order beers in bottles since seeing it), and that i then visited the ‘change password’ section to modify it straight back to my awkward-but-conditioned-to-memory password.
Naturally, your budget was seeking to set me straight. «You can’t change back in any of your last 5 passwords» it explained using a grinning smile, giving me the solution straight away. That you can undoubtedly guess, I returned the favor by changing the password 5 times to various things and next changed it back to my old one. I win. Next round in three months.
People will always outsmart security systems that make an effort to force them into making the ‘right’ decision. What I’ve done today (and I’m quite satisfied with it, many thanks) will be done each day by people who use their CD-ROMs as coffee trays and possess never used any program that didn’t automatically run when double clicking an icon.
But here’s precisely what is really bothering me: Precisely what is the attack scenario here? I wish to view the statistics that demonstrate the amount of attackers actually find a way to capture a username and password and only fail since they try to use it after 90 days. While these huge numbers are crunched, please placed on the Y-axis what number of attackers found the password with a post-it stuck for the monitor as the password is indeed complicated to bear in mind.
Or possibly a great number of attackers used brute force to crack the password, (which may take numerous an incredible number of attempts for the single account) so there exists a clear need for a long and sophisticated password. (BTW, when this attack is achievable, someone should let me know how to get it done. I’ve been locked out a few times for neglecting to type the password correctly in just a few guesses. I want a few guesses because I didn’t keep in mind current password, which, when you remember, changes every 90 days).
Being the cynic i am, and getting read enough security policy documents, I can guess why the password policy is the way it is: it’s an easy task to explain and justify, and it makes sense into the senior execs when shown inside a PowerPoint slide show. I once heard from your high-profile organization that because of a successful break-straight into their network they chosen to tighten up security: all passwords now must be 9 characters instead of 8. I’m guessing someone was promoted for this genius action, and there’s still enough room to raise it further when the next break-in comes (now that’s thinking ahead).