Skip to content

Strong Password Policies Make Us Less Secure

January 3, 2020

Remember floppy drives? For anyone under the age of. . .old, floppy disks were like small thumb drives. They weren’t super small, in fact they were quite large. They started out as 8″ in diameter and they held about 4K of data. Not 4GB or even 4MB. Instead it was four kilobytes.

As the disks got smaller, their capacity got bigger. The 5 1/4 drives could hold 256k and when they went to 3 1/2″ the capacity jumped to 1.2MB. That was about the largest capacity floppies could get to. The 3 1/2″ floppy is the “save” symbol in most programs.

I remember when computers stopped coming equipped with floppy disks. To this day there are programs, and especially files that I have on floppy disk. But, technology marches on. Floppy drives were replaced with CD drives. And DVD drives, but honestly no one noticed when the CD drive morphed into the DVD drive. Seriously, no one really paid any attention.

Eventually even DVD drives were rendered obsolete. Computers no longer come with DVD drives. It’s all about USB drives now. Except that Apple devices stopped using even USB drives. They switched to the lightening port and now the newest iPhones don’t even have that.

What’s this have to do with passwords?

More than you might think.

When I worked for WordPerfect we had a program as part of our tools suite that was a file manager. This was before the days of Windows and its built-in file manager. The way you accessed files was via what today is called the command prompt. You had to ask the operating system, (called DOS, or disk operating system) each time you wanted to see files in a folder, which were called directories. (Wow, this explanation is taking way longer than I thought it would.) Anyway, or file manager allowed you to visually display what was in a directory. It was still text based, but better than DOS only.

Our programmer decided to add a password feature. You could protect the system from letting people view, or worse delete entire directories. The problem was the programmer made the password field case sensitive. It wasn’t enough to say my password is “fishsticks.” You had to remember that you didn’t capitalize the first letter of “fishsticks.” I worked in support and crazy as this may sound, this was a real issue for people. Seriously. It was so bad that eventually we convinced the programmer to make the password case insensitive. So, FISHSTICKS, fishsticks and fIsHsTiCkS were all the same password.

We were so proud of ourselves. And we were so naive. Just as storage devices experienced a transformation as the IT industry evolved, so did password practices.

Today, most sites encourage, if not require strong passwords. Companies, of course also require strong passwords from their employees. For example, my company requires 14 digit passwords, with a mix of upper, lower and special characters. And we have to change it every 90 days. Oh, and we can’t reuse a password that we’ve used in the past year.

The company could implement even more security. For example, they could forbid dictionary words in a password. When you have to have a 14 digit password, it’s helpful to have a pattern. For example, your password might be a phrase, “Ilikefishsticks.” You need the number and special characters, of course. “Ilike2fishsticks!” That’s a good password phrase because when I have to change it, I can simply advance the number. “Ilike3fishsticks!” “Ilike4fishsticks!” and so on.

If my company forbid dictionary words it would make it much harder to remember a unique 14 characters that changes every 90 days.

Why is it important to be able to sequentially add numbers? So you can remember you passwords. If you recently changed your password and you forget you’ll get an error. If you’re using a sequential pattern, you simply move on to the next number.

There are other restrictions that passwords can be bound by. They can forbid you from using my sequential trick. They can compare your current password to your previous ones and ensure you don’t have too many characters the same.

Why wouldn’t you want to do that? It’s all about security, isn’t it?

I recently had to factory reset my phone. (Android, not iPhone, but doesn’t matter.) I had to reinstall the apps that I use on a daily basis. But, since they are on a secure device, I entered the password once and then told it to not ask for the password again on that device. Many of those apps have strong password policies.

You know what happened, right?

I didn’t remember those passwords. Of course, each one has an option to recover my lost password. Except I couldn’t recover the password. Nope. I could only reset it. And I couldn’t set it to the same password I’d used previously. So, with my sequential trick, I had to move to the next number. Expect for the systems that decided I had too many similar characters.

Like you, I have dozens of accounts, LinkedIn!, Facebook, eMail (5 different accounts), VPN, WordPress, Paypal, Venmo, my bank, and so on. And every one of them has a strong password policy.

Here’s where it gets non-intuitive. The systems with the most restrictive policies are the ones that I struggle with the most, both in setting and remembering the passwords. So, those systems are the most likely to get written down, or turned into something more “hackable.”

My company has a single sign-on policy. It doesn’t matter how many different servers or systems I have to access at work, they all share the same login and password. Is it more secure than having every system with its own separate password? Absolutely. I have to keep track of one password. I’m not likely to lose track of that one password.

The downside, of course, if someone gets that one password they have access to all of my systems. But, it’s a worthwhile compromise. It’s like your house, you lock the front door, but you probably don’t lock every door inside the house. You also most likely do not have multiple locks with different keys on your front door.

IT systems should be the same way. Strong passwords are important. But, if companies go overboard in the restrictiveness of their processes, they are putting at risk the very systems they are trying to protect.

Rodney M Bliss is an author, columnist and IT Consultant. His blog updates every weekday. He lives in Pleasant Grove, UT with his lovely wife, thirteen children and grandchildren.

Follow him on
Twitter (@rodneymbliss)
Facebook (www.facebook.com/rbliss)
LinkedIn (www.LinkedIn.com/in/rbliss)
or email him at rbliss at msn dot com

(c) 2019 Rodney M Bliss, all rights reserved

Leave a Comment

Leave a Reply