I have at least 6 computer programs I access frequently through my work that require variable frequency password updates. Two different x-ray viewing portholes, 2 different lab work checking programs, a profile login, and a program specific to a clinic I run.
The frequency that these programs require one to update the password varies. I’ve managed to convince the IT guys who manage two of the programs to set my password to “never expires” but in spite of that they still randomly ask me for a new password and I end up having to call IT again… but at least this is pretty infrequent. The most annoying program not only expects you to update its passwords every 3 months or so, it starts 2 weeks ahead stating, “your password will expire soon, do you want to update it now”. You’d think that by doing this it might get you an extra 2 weeks, but in effect the opposite happens, you end up updating every 10 weeks.
I tried discussing this with the IT gurus that maintain this program. Not only did they refuse to set my password to never expires but I got the usual bull $h*t answer “its industry standard”. Which as far as I’m concerned is code word for fc*k off ignorant one, we’re doing what we’re doing anyways even though there is no research to back up this claim.
I suppose the rationale for frequent password updates is that somehow it increases the security of the system. However, if one actually observes what’s going on with the end users not only does it not improve security I firmly believe it makes the program less secure. Why would I claim such heresy? Well in the healthcare environment I work in people forget their password so they:
- Write it down: on their person, in their PDA or often even on the computer itself
- Add an incremental number to the last one e.g. blackbird 01, blackbird 02, blackbird 03 etc…
- Complain to their colleague who obligingly says, ohh don’t worry about it use my profile/password, and either logon for them or give out their password.
- Use other peoples profiles/programs that have been already open and left unattended
Each of these is less secure then a password that never expires. And I can assure you I see examples of one or more of these activities on a daily basis. The other outcome which may be of benefit to security but defeats the purpose, is users (that can) just stop using the program.
But why take my word for it. I have found several links including one to high tech security guru Gene Spafford that supports my argument.
I’d like to propose that everyone call their friendly neighborhood IT support person every time they have to login to a program that automatically resets the password. Ask them to reset your password because you forgot it and can’t keep track of all the password changes. I have a feeling that if they got hundreds of such calls daily they’d pretty soon change their “industry standard” to password never expires…
No comments:
Post a Comment