Stop Using Password Policies from the CB Radio Era
Breaker breaker, are you required to have a “special” character in your password? Thank the UNIX password system of the 1970s, also the time of the CB radio craze in the BC (Before Cellphones) epoch.
The Web as we know it today started primarily on UNIX computers, and in the earliest days, web site accounts often were actual UNIX accounts. Shortcomings of the original UNIX password system included:
Policies to address these weaknesses still persist to this day, largely through IT inertia and failure to recognize today’s biggest threat to password security: password re-use.
In the BC era, the largest risk to the password was from inside the organization: password cracking of your own password database, and password guessing on your own systems. These were the risks BC era policies addressed.
Today, most (but not all!) organizations use Bcrypt and failed login limiters, making these risks moot. The risk has shifted to outside the organization.
The average Internet-connected person has 56 accounts. Does that mean 56 different passwords? No. More likely the same password used 56 times. Require someone to create a complicated password, and he will naturally want to make the most of it by using it for everything!
So the new risk is not from inside the data fortresses of large organizations, but from the tiny, poorly protected web sites where people have re-used the password from the fortresses.
The BC era password policies offer no protection against this risk.
Policies must address the password proliferation problem. The popularity of outsourced services has saddled employees with navigating a bumper-to-bumper traffic jam of passwords. Which of these do you have password for?
Your password is only one voice in a chorus. Whether that chorus is mellifluous or cacophonic depends on providing password management tools. Mac users have a built-in advantage with Keychain. LastPass and 1Passord are popular multi-platform solutions.
We got a mighty convoy rockin through the night.
[“Convoy” by C.W. McCall, 1975]
But why do we have to create our own passwords? We don’t ask employees to cut their own door keys or print their own ID badges. Why can’t we just be given good passwords? Passwords that are both hard to guess, but easy to remember.
Back in the BC epoch, the only people using the UNIX computers were the programmers themselves. There was no IT group or help desk, so the programmers had to create their own passwords. There was literally no one else. Today we have IT departments, so this limitation no longer applies.
So what should a modern AX (After UNIX) password policy look like?
Most CB radios went on to that great Highway in the Sky decades ago. Your BC era password policy deserves the same treatment.