Let me narrate a small story here to show you how a server administrator and an Information Security Officer (ISO) of an organization struggle to protect organization assets.

ISO of the organization has the password policy written and it says that the user password should be

• minimum of 8 characters long
• password lock-out at 3 failed attempts
• expires once in every 45 days
• Should be a combination of uppercase, alpha-numeric and special characters

Policy handed over to the server administrator and it has been implemented across the organization.

Now who is the sufferer…??? The end user who used to put in passwords such as password, date of birth, chicken65, wonder girl, name of wife or son or daughter, has to now choose a complex password or a combination of these passwords with a special character embedded somewhere.

Finally the user comes out with a password which is like this;

Password291173$

What a mess. Now this password is valid for 45 days only as per the policy. By 45 days the user with great difficulty remembers the password or his fingers is already used to going to these letters automatically when the screen reads Password at logon.

Ok. The password expires after 45 days and now the user has to choose a new password to move forward. These users are also very smart. They think as how to overcome this process, cause by now they have already got used to the old password and imagine remembering a new one. So the user would obiviously choose a password like this;

Password291173%

Now the user does want to remember the new password, because he is used to the old one. He has met the policy requirement to change the password once in 45 days, now he will revert back to the old password, but doing Cltr+Alt+Del -> click on change password and have it changed back to;

Password291173$

Ok. Both are happy. I mean the administrator and the user. The ISO somehow finds that this is not working. It is not serving the purpose and needs to put in some more control. The ISO now decides to enhance the policy and say that the server password policy should now have a history of last 5 passwords, that this user had used and should not allow the user to use the same password again.

Ok. Now the scenario that I had mentioned above will not work. These users are very smart. Now they come out with another solution to overcome this problem and remember the old password. When the system prompts them to change their password after 45 days as per the policy, the user does this;

Password291173$ — original password

Cltr+Alt+Del -> Change Password -> Password291173$1 – Changed to new
Cltr+Alt+Del -> Change Password -> Password291173$2 – Second change
Cltr+Alt+Del -> Change Password -> Password291173$3 – Third change
Cltr+Alt+Del -> Change Password -> Password291173$4 – Fourth change
Cltr+Alt+Del -> Change Password -> Password291173$5 – Fifth change
Cltr+Alt+Del -> Change Password -> Password291173$6 – Sixth change

All this done in about 10 minutes.

Remember the system will hold a history of 5 passwords only. The user now comes back to his old password and configures it as;

Password291173$

Now the ISO finds that this is not working again. So some more control is added by saying, Ok, now the user cannot change the password for next two days after the first change. In this case if I have to come back to the old password as shown above, it would take me 12 days, which is now more tedious to the user. This is when the user starts blaming the IT department, cursing the ISO etc etc.

So let us see at the password policy again:

• minimum of 8 characters long
• password lock-out at 3 failed attempts
• expires once in every 45 days
• Should be a combination of uppercase, alpha-numeric and special characters
• Should maintain a password history of the last 5 user passwords
• Password cannot be changed for next days after the initial change

Two new controls are added. There should already or will soon find how to overcome this issue and the users are clever enough to do so.

The conclusion is what is the ISO or the server administrator trying to protect…??? What is the probability of an intruder getting into your network to break the password and get into the systems that is holding information…??? Is it easier for an intruder to break a password and get into a server or is it easier to compromise the server itself. Maybe traceability is an issue….

My thoughts are why we need to enforce this password policy to end users. This is a clear example of delegation of ownership. Who are the owners of the organization assets…??? Let’s not say top management. Yes it is the top management, but the top management has better work to do and have designated the end users to take ownership of the assets.
I would also like to say that ISO should not be spending time and breaking his head on password complexity but to take up the responsibility to clearly push this message down to the end users and making them aware that they are the owners of the information assets and not the IT Department.

1. Identify the owners of information assets, within the organization. Which, I assume would have been done during the risk assessment exercise

2. Conduct awareness sessions and emphasize on information assets, owners of those information assets, responsibility of the owners, custodian of those information assets, responsibility of the custodians etc,

3. Give the asset owners a simple risk assessment methodology for them to evaluate and understand the value of the assets they handle. This will also let them this on how effectively to secure their assets

4. Give more flexibility to the end-users than taking up everything on by self.

5. Make everyone understand the security is everyone’s responsibility and not just the IT department or of the ISO.

It has been told and understood that the biggest threat in today’s world is human and the human who is inside your organization. Now if that human has the password and intend to do damage, how is complex password going to protect or help…???

Just for our thought, how critical is your ATM or Credit Card to you…??? What is the complexity of a PIN number of your ATM or Credit Card…??? Mine is just 4 numbers… :)