by Ross Oliver, Senior Technical Consultant at Taos
Breaker breaker, are you required to have a “special” character in your password? Thank the UNIX password system of the 1970s, also the time of the CB radio craze in the BC (Before Cellphones) epoch.
The Web as we know it today started primarily on UNIX computers, and in the earliest days, web site accounts often were actual UNIX accounts. Shortcomings of the original UNIX password system included:
- Passwords limited to 8 characters
- Stored passwords accessible by anyone
- Password encryption methods overtaken by computing power
- Unlimited password guessing
Policies to address these weaknesses still persist to this day, largely through IT inertia and failure to recognize today’s biggest threat to password security: password re-use.
In the BC era, the largest risk to the password was from inside the organization: password cracking of your own password database, and password guessing on your own systems. These were the risks BC era policies addressed.
Today, most (but not all!) organizations use Bcrypt and failed login limiters, making these risks moot. The risk has shifted to outside the organization.
The average Internet-connected person has 56 accounts. Does that mean 56 different passwords? No. More likely the same password used 56 times. Require someone to create a complicated password, and he will naturally want to make the most of it by using it for everything!
So the new risk is not from inside the data fortresses of large organizations, but from the tiny, poorly protected web sites where people have re-used the password from the fortresses.
The BC era password policies offer no protection against this risk.
Policies must address the password proliferation problem. The popularity of outsourced services has saddled employees with corralling a whole herd of ornery passwords. Which of these do you have password for?
- Corporate email
- Expense reporting
- HR and recruiting
- Health insurance
- Health savings accounts
- Brokerage for stock options
- Retirement accounts
- Chat Internal discussion forums
- Cloud storage
Your password is only one voice in a chorus. Whether that chorus is mellifluous or cacophonic depends on providing password management tools. Mac users have a built-in advantage with Keychain. LastPass and 1Passord are popular multi-platform solutions.
We got a mighty convoy rockin through the night.
Now we got a mighty convoy, ain’t she a beautify sight?
Come on and join our convoy, ain’t nothin’ gonna get in our way.
We’re gonna roll this trukin’ convoy, ‘cross the USA
[“Convoy” by C.W. McCall, 1975]
But why do we have to create our own passwords? We don’t ask employees to cut their own door keys or print their own ID badges. Why can’t we just be given good passwords? Passwords that are both hard to guess, but easy to remember.
Back in the BC epoch, the only people using the UNIX computers were the programmers themselves. There was no IT group or help desk, so the programmers had to create their own passwords. There was literally no one else. Today we have IT departments, so this limitation no longer applies.
So what should a modern AX (After UNIX) password policy look like?
- Limit the number of failed attempts before temporarily locking the account.
- Store passwords using Bcrypt with an appropriate work factor.
- Drop all the counterproductive and outdated “special character” requirements.
- Provide a tool for generating passwords that meet organizational requirements.
- Provide a secure method of storing passwords, and training on its use.
- Consider assigned passwords rather than self-generated, to improve password quality and reduce re-use.
Most CB radios went into the recycling bin long ago. Your BC era password policy deserves the same treatment.