Password policies are dumb.

OK, well, maybe not always. But overly complex password policies are dumb. For example, the Tennessee Board of Regents – the governing body over my institution, East Tennessee State University – has recently instituted the following policy:

• The password must be at least 8 characters.
• The password must use characters from three of the following four categories:
  - English UPPER CASE characters (ABCDEFGHIJKLMNOPQRSTUVWXYZ)
  - English lower case characters (abcdefghijklmnopqrstuvwxyz)
  - Numerals (0123456789)
  - Non-alphanumeric characters (!@#$%^&*()-_=+{[}]\|;:,< .>/?)
• The password must not contain three or more characters from your domain account name. For example, if your domain account name is “SMITHJJ”, you can use up to two characters from “h,i,j,m,s,t”.
• The password must not contain any portion of your full name that is three or more characters long. For example, if your full name is “John L. Smith”, your password cannot contain “john” or “smith”. If your full name is “John Lawrence Smith”, your password cannot contain “john”, “smith”, or “lawrence”.

Think that’s bad? It gets worse:

• Your domain password will expire every 90 days.
• You can change your password sooner, but no more than once per day.
• Your new password cannot be a password that you have used in the past 10 password changes.
• If you fail five times to login within a 30-minute period, your account will be locked for five minutes.

This is completely asinine. I don’t have time to deal with this kind of bullshit every 90 days, and most of their new policy is worthless. Here’s why:

Generally, there are two methods of breaking into a specific user account: (1) find out what the user’s password is through social engineering and/or other means, such as breaking into their office and searching for a post-it note with the password and (2) a “brute force” technique, which means simply trying passwords – usually generated from dictionary words – until access is granted (software can automate this process and make it very efficient).

The last measure listed above – “if you fail five times to login within a 30-minute period, your account will be locked for five minutes” – takes out the brute force method, which is 99% of the battle. The only thing left is the notion that someone might come across a written record of a specific user’s password, and ideally, the damn thing wouldn’t be written down anywhere in the first place because the protocol governing password length and complexity would be flexible enough that it wouldn’t be necessary to record it anywhere.

For example, I have a couple of passwords which I use at sites I don’t really care much about (message boards, IM accounts, etc.). These are easy to remember, universal, and decently strong (but no so strong that they’re impossible to remember). For more important accounts – my bank’s web site, credit card sites, etc. – I’ve memorized an algorithm which allows me to determine my password for any web site based on a variety of factors which vary from site to site (the number of vowels in the site’s domain name, for example). This is more than sufficiently complicated, and because it varies from account to account, it affords a high level of security. Best of all, it is not written down anywhere. Essentially, I have all the advantages of a memorized password I use everywhere, but in a manner which varies depending on the web site I’m using (this is actually Steve Gibson’s idea – I figure it’s safe to take advice from any guy who still programs in assembly).

This is all shot to hell with the TBR’s new password policy, though, as it doesn’t meet all the requirements stated above. Their paranoid demands mean that in order to make sure that I never forget my absurdly complicated password, I will be writing it down on a piece of paper which I will store somewhere in my office, as well as on my person. I will do this because I’m a busy guy, and I don’t have time to deal with our IT department every time I forget what my password is. Because the damn thing expires at least once every semester, it’s not like I can just come up with an absurdly complicated string and keep using it. Moreover, I can’t alternate between two absurdly complicated strings every 90 days. Or three absurdly complicated strings. Or three. Or nine. This means that I have to come up with a new, unique password every time. As a result, I’ll also be using dictionary words to make things easier on myself (a BIG password no-no).

In short, the Tennessee Board of Regents has managed to come up with a password policy which is the worst combination of both inconvenience and lack of real-world security.

Instead, they should do the following:

1. Keep the 5x failure policy, the 8-character minimum, and the business about the password not resembling your name or user name.
2. Allow users to alternate between two or three passwords (ditch the “past 10 password changes” bullshit).
3. Require password changes no more than twice a year, say, at the beginning of Fall and Spring semesters.

This whole thing illustrates a huge problem with the tech industry, IMHO: Engineers and system administrators are under the diluted impression that the general public thinks like… well… engineers and system administrators. They don’t, thank God – nor should they – and password policies should recognize this basic fact.