Generally I despise information security measures that are so strict the computer users basically have to resort to using old Selectric typewriters to any work done.
Password enforcement is one area where I roll my eyes a lot. A good, reasonable, password strength policy is appropriate, no question. However, the stricter the policy the greater the probability that the respective computer users will end up writing their hard-to-remember passwords on a sticky note stored under their keyboard and then, of course, the security is worse than allowing certain patterns or longer modified words.
Then I read this article posted on ZDNet.
From the article:
Key findings include:
- In just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts
- About 30% of users chose passwords whose length is equal or below six characters
- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”.
One thing I definitely recommend is forcing passwords to be longer than 8 characters. Even HomerSimpson changed to H0m3&s!mP$i is a great password and one that a user who prefers typing HomerSimpson can more easily remember. If you or someone you know creates password policies so strict I would consider taking a stroll through your users’ offices and cubicles and looking under keyboards. I’d also consider easing up on your password policies if you find passwords written down. Of course I’m not telling you anything you don’t already know.