What does password security really mean?
Many systems are now delivered on the Internet to a variety of users. It is natural that these systems require account usernames and passwords. The designers often have the ability to specify security options. These seem to be designed to enforce security. The site designer can specify that passwords must be of a certain length, perhaps 6 or 8 characters. They can often specify that numbers are required as well as letters. Some systems enforce mixed upper and lower case characters. Others require that special characters must be included in passwords. The ultimate in a secured password will be something like this, (according to the logic behind the password rules):
This seems like a secure password. At least it passes the security checks. It is 8 characters long. There are mixed case letters. There are special symbols. The password does not contain a word, or part of a word, that can be found in a dictionary. Sounds great. Security is assured. Or is it?
Can you think of any problems with the above password? It looks secure. It fits the security rules. It's long enough, can't be guessed, contains special characters. All seems fine. There is a problem, though. It can't be remembered by most normal people. This will be especially true if the system forces passwords to be reset to new values every 90 or so days. Of course, the new password will be equally 'secure'. Something new like H&7mi*() will again fulfill the password rules. It will also be difficult, (or impossible), for the user to remember. What security is there then?
When the user forgets the password, they will have to call or click for assistance. They then have to go through the steps to establish their new password, 7Yy8*()!, (which they won't remember). Perhaps they will call a helpdesk and get a password over an unsecure phone line. At the very least, they will lose productivity, take time out of other people's day or use additional computer resources to reset the password. Some agencies track the number of times people forget passwords and have them reset. This brings about the final irony for supposedly secure passwords:
Given a very restrictive set of password rules, normal users will be inclined to write passwords down on paper, especially if there are consequences for those who request password resets!
Your system has the best password that can be enforced. Everyone has a SeQu#!() password. They can't be cracked using a dictionary based guessing program. They can't be remembered, however. The users write them down, usually on a piece of paper on their desk. They often put their username on the same piece of paper. Many times, they will email their password to themselves at their work address or to home or gmail. Now your incredibly secure password is garbage. When sent via email outside of the office, it is available to a very large number of systems and outside users. You'll never know who. The email message may also persist on servers for a very long time. This adds to the exposure of the password to outside people and further compromises the system security.
Unfortunately, people are the weakest link in the security of passwords. They have a lot of trouble remembering alphanumeric strings like @Rto82#(. They need the password, of course, to do their work. More and more agencies require employees to spend some or all of their work time on computers. Most of these now have usernames and passwords. Many of the systems require G8*7aes^ passwords. Employees just won't remember these strings. Can you?
Back at the top of this article, there was a secure password shown for illustrative purposes. It was long enough, had mixed case, symbols, numbers. It was a 'good' password that would pass most password checking requirements. Without looking up, can you remember that password? Be honest now. Can you remember what it started with? Can you even remember 1 character or number that it contained? To be fair, you weren't told to notice the password and you could hardly be blamed for ignoring it. You must have seen it, however, as it is quite plain in the text. It's all alone on a separate line. We can assume that nearly everyone would fail to remember that password. If they were told that they had to remember it, perhaps more people would get it right, or close to right. With computer security, however, most people having close security is not good enough. Passwords must be matched exactly.
Now passwords are absolutely required for many systems. Password rules must be implemented to help systems be as secure as possible. The problem is that people can't remember random strings of characters easily. Designers should understand this fact because they very often do not. To put it in terms that everyone can understand, though, you should remember the movie Ferris Bueller's Day Off. Even in that movie, made back in 1986, a computer user wrote down her password. It was changed periodically and each new password was written in the same place. It was then a laughable exercise for the intrude, (Ferris Bueller), to obtain the password. With it, he could make unauthorized changes to the system. In the movie, of course, no real damage was done but fraud was committed. In real life, who knows what effects may arise?
Then there is the lesson learned by the movie War Games of 1983. That computer, ("WOPR"), is ultra secure. Doubless, the password rules are very strict. In fact, the movie shows that the security is strict at every encounter. So strict, in fact, that the system designer created a back door into the system that is not subject to the installed security. Much like writing down passwords, this establishes a hole in the system. The true level of security is nothing like that envisioned by the designers.
It would not be reasonable to allow people to establish easy to remember passwords like Myname12 or similar. There has to be a balance between ultra security and simplicity for the users. Some systems have resorted to asking questions that are easy but which only the actual respondent would know. "What was the name of your first dog?". This type of system protection is actually far more secure that the Tr8*9@#3 password.