All of us who live in this interconnected world are familiar with the password polka. We have files or black books filled with the myriad passwords required for our activities from banking to fulfilling our pets’ medications. We attempt to log into sites which have inevitably required a password change two weeks ago. We try to change our passwords per the requirements of our benevolent policy overlords only to discover that we have already used that password, or we are required to use the special characters !@#&@ and one UPPERCASE.
!@$& is right.
One of the biggest frustrations we experience as both consumers and IT professionals has to do with this !@$&-ing dance. In fact, according to the Gartner Group, password resets consume 30% of all IT call volume. And at an estimated 25$ per call (Gartner estimates this amount to be higher at $70 per call) with an average of 1.75 calls per month per person (META Group), this places the cost to a company of 50 employees for password resets alone to nearly $8,000!
And this is where the frustration for the benevolent policy overlords begins. An aggressive password reset policy will undoubtedly increase this number, but $8,000 is small price to pay for the risk mitigation that comes with strong password rules. In fact the risk of exposure, data loss or other more nefarious problems is more or less limitless.
Using this logic, we as IT administrators should increase the strength of our password policies and consider the cost on the support end just the cost of doing business. I have personally run into sys admins who require insanely complex passwords that reset on very short schedules. These security minded individuals believe that the cost of a breach is so severe that end user frustration and support costs are not worthy of consideration.
–And, they would be right…If it weren’t for a couple of big problems.
The first that we incorrectly assess password strength based on our own fleshy weaknesses. Consider the following “complex” password: 1Dr@g0n!
This passes some of the most complex rule systems out there, but could be cracked by a bot running on a low-grade PC in about 3 days…more sophisticated attacks would demolish this password.
This problem is summed up beautifully by the folks at xkcd.com (a wonderfully nerdy web comic).
The other problem with using what we consider to be complex password policies is, as the comic so elegantly shows: we forget them. And when we forget them, we put them in our little black book, save them in a password file…with a password, probably, or simply write them down on a sticky and put it under our keyboard or on our monitor.
The last offense is obviously an unacceptable breach of password protection, but the sys admin would have no one to blame but herself. She created a password policy that broke the end-user thus leaving a huge hole in their security.
How do we get around this as both consumers and IT professionals? Well, here are a few suggestions:
There are many other authentication solutions to fit many applications, but they don’t all belong in the conversation about our some-time friend the password, so please forgive me if I have left your favorites out of the list. I hope this helps all of you dancing the password polka!