The Official Blog of Cogmap, the Org Chart Wiki



Death Spirals into a Secure New World

RSA-SecurID-TokensSecurity breaches are an act of terrorism in many ways.  And much like terrorism, security never gets credit for breaches prevented, but people lose their jobs ever time someone gets away with one.  The result is that there is little incentive other than sheer cost to limit security efforts in a corporate context.

And better security works!  I found this chart of password lengths that told me that allowing a special character could force a hacker to take 8x longer to break a password.  Making a password 7 characters instead of 6 makes it 12x harder to break.  This is very good.  Passwords should be hard to break.  So what security organizations take away from this is that users should be required to put in a special character.  Required to mix case.  Required to use numbers.  Let’s make the password 8 characters minimum!

Does this sound preposterous?  This was an employer’s corporate password philosophy.  According to our handy-dandy chart, it will take a hacker 1.45 centuries to break my password.

But you never know, a hacker could have started on my password already!  Fortunately, my employer made me change my password every 45 days.  Also, they would need my RSA Securid, a 6-digit passcode that changes every 60 seconds and is more or less random.

But if you are on the security side of our organization, I can’t figure out why they haven’t made passwords 12 characters, or 45 characters?  If it was 12 characters it would take 4 millenia to hack.  Maybe they could relax other rules, like letting me change my password every 60 days.  I am sure they would encourage me to voluntarily make my password that long.  But here is the rub:

When you have to change your password every 45 days, and the password is that preposterously complex, you have a system.  Everyone I work with has a system.  Incrementing numbers in the same password.  Date-based password schemes.  When you have to come up with 9 passwords a year and you are not allowed to reuse a password you have used in the last 24 tries (true!), you have to have a system to remember.  Does this mean changing passwords is less secure than not changing passwords?

So changing passwords is a bad idea.

These same requirements are true if you wanted to read my email via my phone, where every corporate phone is locked with an 8 digit password combining letters, numbers, and special characters.

Do you have any idea how much of a pain in the butt it is for me to put in an 8 digit password with letters, numbers, and special characters every time I want to make a phone call?

How much business value is lost by making people enter passwords every time they use their phone?  I just calculated that it takes 12 seconds for me to type in my password on my phone.  So let’s say that I do that 10x/day: 2 minutes.  That means 14 minutes/week (still typing on weekends).  12 hours/year typing your password (52 weeks because you still have to type the password on vacation.  That is .5% of my work week.  Let’s say that an employee makes $104,000/year (to keep the math simple).  That means $2k/week.  So that password lock on the phone is essentially paying $11.66/week to keep things secure.  But none of that cost gets passed back to the IT department, so it is a slam dunk decision.

Is anyone trying to brute force hack my password on my phone?  Really?  That would be foolish because if they fail six straight times, my phone deletes its entire contents.  So why the password complexity?

Let’s not even get into what it is like when I am trying to type my password into my phone while driving.  If my wife knew…

Password-protecting phones with complex passwords is a bad idea.

Let’s talk about RSA Securid.  RSA touts it as the best protection in the world because the Securid’s are mobile: They go where your workers go.  But let me tell you, they don’t really.  I put mine on my keychain.  Now my keychain is huge.  Sometimes it bothers me so I leave it lying around the house or office.  I don’t take it on vacation.  I don’t have it lots of times.  In fact, I don’t have it right now.

(Let’s be clear, this is not a ding on any one company, this is a ding on complex security at companies.  Many companies have them, all of them are FAIL.  I don’t like them.  Of course, I don’t work on the IT side of companies any more because I am the kind of guy that annoys the rest of the organization.)

Talk about your problems with your company’s security policies.

One Response to “Death Spirals into a Secure New World”

  1. Greg Says:

    Heh – it gets worse when your behemoth of a company outsources certain parts of its internal infrastructure (software for expenses, software for booking travel, software for booking vacation, software for doing employee reviews, etc.) and each of these has a different, not completely compatible security policy (some required punctuation, some required a number, etc.) and a different ‘refresh period’ for passwords.

    In the end I did what every stereotypical big company idiot does – wrote the passwords on a Post-It and kept them near my computer. Totally counterproductive.