The other day I counted the number of passwords I use for various things on my computer at work. There are 26. They are all on different cycles. Some I am required to change monthly. Some quarterly, some never change. Some have a requirement to have a mix of capital letters and lower case, or numbers and letters, or both. They cover a variety of systems. There are three different purchasing systems (depending whether it is invoice based, credit card based, or a contractor). There is the HR system where I enter my annual leave, and the two different performance management systems. There is another system where I create contracts if I need to hire a new person. I’ve got another password for the spreadsheet each time I do the annual remuneration review for my team.
Unsurprisingly, I have a spreadsheet (password protected, of course) where I keep them all. I first created that spreadsheet after nearly shouting at a helpdesk person. After politely resetting my password (probably the third time I’d had to do that that month), he said, “have you thought of choosing a password that is easy to remember?”
I imagine that each time a new system was created, some very cautious IT or security person thought hard about the best way to keep that system secure. They had possibly been burnt by someone in the past giving away access. So they make sure the password has to change monthly, and that it can’t be too obvious.
But the end result is anything but secure. My brain cannot possibly hold all that information. I have to store it somewhere. And while I am at least cautious enough to have a password protected spreadsheet, the end result is that I have one password, which I never change, to give me access to the whole system.
Security is often like this. When putting it together, you have to understand real people’s behaviour. If you make it too difficult, then it will be breached, not by the enemy (whoever they are) but by the people you are trying to keep secure, who can’t cope with it.
This post is calling out for – a password manager! 26 passwords is about average for an internet user and you are right – it’s hard to remember all of them, whether they are easy or not. Here is a link explaining how online password managers can solve exactly the problem you’re having:
http://passpack.wordpress.com/2007/01/19/why-you-must-use-a-password-manager/
But please be careful about putting all your passwords on a spreadsheet. It is the easiest way for them to be compromised.
Hope this helps!
Louise (PassPack)
Oh I do use a password manager – at home. At work, I’m not provided with one (and can’t download non approved software). So I use a spreadsheet instead so that I don’t have to ring the helpdesk to reset a password every week, because each separate application manager maintains the fiction to themselves that by creating a difficult, often changed password, they have created greater security.
I’m feeling quite in tune with this post, especially as I spent several minutes on the phone today with one of my co-workers, trying to remember the password to an account that he needed to open while I was out in the field. Very frustrating.
(And PassPack’s credentials for being trusted with all my passwords are…?) We also have the monthly password cycle which means people just come up with some sort of system or go mad. I should probably use more passwords online than I do (I think there are eight I use in different combinations) but really…Then there’s the number of different IDs I use so eight different passwords with six or seven different sign-ons comes up with a much larger set of things to remember.
And then there are all the non-work passwords, such as passwords to register for various websites, including online newspapers and magazines, passwords to buy stuff online, etc etc. Like most people, I tend to use a combination of a limited number of words on all my password-requiring sites/computers, otherwise my brain would explode.
Yea, verily.
Bruce Schneier (http://www.schneier.com) claims that excellent security is obtained by thinking up a really obscure password, writing it down, and putting it in your wallet. “We’re all good at securing small pieces of paper”…. “writing down your impossible-to-memorize password is more secure than making your password easy to memorize,” he concludes.
He also wrote an application called PasswordSafe (widely available, open source so you can verify it as much as you need) which replaces your spreadsheet / wallet. It will generate an ugly password for you, and for computer logins you can select the entry and hit a button to get the password straight into your paste buffer – never seen on screen. Your IT department might be well served to analyze it or a relative and make this a standard app on desktops.
I have heard good things about PasswordSafe but – nerd cred! – I wrote my own.