Posts Tagged ‘passwords’

Publicising your Password Policy

I raised the following situation recently on Twitter, and from the feedback gained it appears that there are a lot of different viewpoints as to the ‘right way’ and ‘wrong way’ to handle password policies. 140 characters is never enough to explain the different sides fully, therefore here is a longer justification of the view that I put forward.

It’s fair to say that different sites have different password policies. This in itself is not a problem, as individuals have differing ideas on what constitutes a ‘secure password’, whether that relates to minimum and maximum lengths, requiring a certain combination of different character types, or only allowing the password to be made up of A-Z and 0-9

Having such a policy should be second nature for any organisation, however I’m finding an increasing trend of these policies only being displayed when either:

  • Setting a password, or
  • Re-entering a password having been told that the password you attempted to use didn’t meet the policy.

The one place that policies never appear to be specified is when a user is actually trying to log in, and is an issue I’ve specifically noticed on one of the banking ‘3D secure verification’ IFRAMEs that appear (which in themselves are a security issue, as others have documented in the past). As a result, several times now I have ended up in the following situation:

  • I enter what I believe my password is, which happens to be 11 characters.
  • It is rejected, as it does not match the password stored. A reset is obviously needed.
  • I go through the reset process, entering various personal information, and also provide a new password.
  • I am told that my password does not meet the requirements, which involve a maximum length of 10 characters.

Now, at this point, I suddenly remember what my password is; but look at the process I’ve had to go through in order to reach that stage. It has slowed me down significantly, it has frustrated what should be a simple process and it has lowed my opinion of the organisation providing that service. Other people may have simply given up, and thus a sale is lost

So – can someone tell me why a company should not publicise its password policy? Considering that they are often freely given on ‘sign up’ pages, why – user interface issues aside – can they not be displayed on sign-in as well?


The Password Spreadsheet

February 16, 2011 Leave a comment

Is a company’s efficiency worth the loss of its security?

Companies exist, for the most part, to make money. The more efficiently a company can run, the more money it has the potential to make. It is management’s responsibility to lead this efficiency, and to decide how this efficiency can be achieved. Often it is through simple streamlining of existing processes, but occasionally decisions are made that can lead to compromises in other areas.

One such compromise is the Password Spreadsheet, common to a large number of companies. Safe enough in small companies, which are driven by trust and talent, but a danger in large ones.

The reasoning behind the spreadsheet’s existence is simple enough, and is generally caused by the strength of the security that exists within the systems that the company is responsible for. The MD of a client has phoned to complain about an issue with their system and needs it investigating immediately; unfortunately, the person taking the call has no access. This is flagged as an issue, and (as with all problems in large companies) heads upwards throught the management chain with all the speed that a zombie attack lacks.

Eventually, it arrives at someone who realises that this might be a wider problem; after all, the company has a number of different client systems that different people might need access to in the future. Security takes second place behind ensuring that the business is kept as efficient as possible, as the decision is made that all user accounts for all systems should be stored in one location for everyone to access.

Next time the call comes through, the company may be able to react slightly faster. But the cost of that ability is security; not of the company’s own systems, but of those that are entrusted to it.

Categories: Security Tags: , , ,