The other day I counted the number of passwords I use for various things on my computer at work. There are 26. They are all on different cycles. Some I am required to change monthly. Some quarterly, some never change. Some have a requirement to have a mix of capital letters and lower case, or numbers and letters, or both. They cover a variety of systems. There are three different purchasing systems (depending whether it is invoice based, credit card based, or a contractor). There is the HR system where I enter my annual leave, and the two different performance management systems. There is another system where I create contracts if I need to hire a new person. I’ve got another password for the spreadsheet each time I do the annual remuneration review for my team.
Unsurprisingly, I have a spreadsheet (password protected, of course) where I keep them all. I first created that spreadsheet after nearly shouting at a helpdesk person. After politely resetting my password (probably the third time I’d had to do that that month), he said, “have you thought of choosing a password that is easy to remember?”
I imagine that each time a new system was created, some very cautious IT or security person thought hard about the best way to keep that system secure. They had possibly been burnt by someone in the past giving away access. So they make sure the password has to change monthly, and that it can’t be too obvious.
But the end result is anything but secure. My brain cannot possibly hold all that information. I have to store it somewhere. And while I am at least cautious enough to have a password protected spreadsheet, the end result is that I have one password, which I never change, to give me access to the whole system.
Security is often like this. When putting it together, you have to understand real people’s behaviour. If you make it too difficult, then it will be breached, not by the enemy (whoever they are) but by the people you are trying to keep secure, who can’t cope with it.