Far too much time is spent worrying whether passwords are strong or not. The main weakness passwords encounter though is not the string that defines them, but the human being that remembers them. In short, all passwords are weak, and it has nothing to do with string length, complexity, or password change rules.

Recently I got an email from someone I am close to which included his new password. It was not accidental or coerced – he simply mentioned it in his email (which went to about 5 or 6 people, myself included), as part of a funny anecdote. Now this person is not stupid. He is a practicing lawyer who works for the state government and has argued several times in front of his state supreme court. As a security professional I felt it my duty to inform him of the necessity of protecting passwords, but I know that it did no good. He reacted nonchalantly and simply did not seem to care. (It is also clear that he is not alone).

IT folks have a tendency to blame the employee who gave out (or wrote down) their password, but the truth is the fault cannot ultimately lie with them. Competent clerks, secretaries, lawyers, doctors, and others who were born a generation prior to the explosion of the internet cannot be expected to be an expert in IT security, or even to understand anything about IT. The fault belongs to the people who architected the system and placed everyday users in the frontline position against attackers. I hate to harp on a single topic, but security systems must be transparent to be effective. The frontline defense against attacks should not be the users – it should be the trained security professionals. Making the least qualified people the first line of defense against attackers will always be a losing position.

Tags: passwords, transparency

This entry was posted on Tuesday, April 22nd, 2008 at 11:48 am and is filed under Security Architecture and Design. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.