Commonly accepted best practice on password security is that passwords should be complex, changed frequently and never written down. Password complexity (8 alphanumeric characters, case sensitivity plus special characters) increases the level of difficulty associated with cracking it; password change regularity decreases the likelihood of the password, having been inadvertently revealed, being improperly used. The easiest way into a computer or network is, of course, via the password that has been written down and is stored somewhere convenient – on a post-it note under the keyboard, behind the screen or in an unlocked drawer….
And, of course, the more complex the password, the more frequently it has to be changed, the more likely users are to forget it – and to write it down. And we’re not just talking about business users here: our experience is that many seasoned IT and information security professionals resort to writing passwords down – not least because we increasingly combine regularity of change with increasing volume of passwords, each of which have different rules.
And it’s the different rules that make it difficult for one to use one strong password in all the applications and websites to which one has access.
So, there’s the information security manager’s dilemma when dealing with user system access – enforce frequent password changes, enforce complexity, block reversions from new to old passwords, block password sequencing and all those sensible things, and you increase the likelihood of passwords being written down thereby potentially making unauthorised system access even easier.
The solution, for me, is to insist on password complexity – but to enforce change only irregularly – certainly no more than once a quarter – and, perhaps, no more frequently than once per year.