Any time I run into organizations like this which require users to change their
passwords every XXX amount of days, I leave. It doesn't matter HOW long I've
been a customer of theirs, I simply leave. Why?
Firstly, this is an insecure method of doing things. Users choose their own
passwords, for a reason. They shouldn't be required to change their passwords
every 30, 60, 90, whatever days. If they do, there's more of a chance that it
will get written down, which means that there's more of a chance that someone
will "stumble across it", meaning that it's less secure than relying on the
brain. Put all the "password recovery" systems in there you want, this is still
going to get written down, and it's less secure
Secondly, this is an insult to your users. It takes something that is THEIR
responsibility and makes it YOURS. It's like saying "I'm sorry, but YOUR
passwords are too weak, OURS are better, you MUST abide by our password rules".
No, as a customer, I must NOT. The internet is a large place, and there are
PLENTY of individuals out there who aren't as anal as this about security. My
money would simply go there.
Thirdly, this isn't about "security", this is about forcing users to use YOUR
policies, which are outdated and entirely too strict. Unless you are processing
government sensitive data, there is no reason you should ever force your users
to change their passwords, ever.
Take a look at the leaders in this industry. Paypal, ebay, amazon, tigerdirect,
newegg. Do they require users to change their password every XXX days? No, they
do not. Why? Because they respect their customers, and allow THEM to choose to
change their passwords. Do away with requiring a non alpha-numeric symbol if
you have that, as well, because that's not "good password enforcement', it's
the same as above.
Personally, I have set of 5-10 passwords that I have used for years. None of
these compare to today's supposed "standards", yet they're all strong enough to
be secure in their own right. I find it an insult when a site like this forces
me to change something that I PERSONALLY know is secure enough, and have been
for years.
Now, if you have proof that your customer's account is "hacked", or has been
used without their permission, yes, by all means, force a password change. This
should be the ONLY time, however, that this is done, not on a "whim", certainly
not set forth by some security policy that will do nothing but annoy users.
In the end, why do these companies NOT force their customers to change their
password every XXX days? They realize that there are plenty of other ways to
enforce security, and this one, minor way will cause more grief than it's worth.
There is a small war going on where I work. I am trying to get a
password policy enforced for our web applications and certain
business leaders are opposing it. There are two areas of
opposition:
1. Minimum password length of 6 (currently 4, 6 was going to be a
compromise). 2. Expiration of passwords (currently none).
Strength requirements on the password content seems to be ok with
them.
These leaders compare our business with Amazon (a bit of a reach
but we go with it for argument's sake) and their main argument for
not enforcing a minimum password length and password expiration is
that Amazon doesn't do it.
How should I go about convincing them that Amazon.com is wrong and
the fact that they haven't had a severe account breach is no reason
not to implement a policy ourselves? Or, to play devil's advocate
with myself, if I'm wrong, why doesn't Amazon enforce a password
policy?
On a side note, the development work for implementing the policy is
already done. It was done as part of a separate project and just
not turned on until this argument could be resolved so there will
be almost no development cost associated with implementing the
policy.
Thanks for your feedback.
James Strassburg
--------------------------------------------------------------------
----- Sponsored by: Watchfire
Hackers continue to add billions to the cost of doing business
online despite security executives' efforts to prevent malicious
attacks. This whitepaper identifies the most common methods of
attacks that we have seen, and outlines a guideline for developing
secure web applications. Download our The Twelve Most Common
Application-level Hack Attacks whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Y
Ti -----------------------------------------------------------------
---------
-------------------------------------------------------------------------
Sponsored by: Watchfire
AppScan delivers new remediation capabilities, key regulatory compliance
reporting, and productivity enhancements that dramatically improve,
automate and streamline users' ability to quickly find, remediate and
manage web application security vulnerabilities. Change the way you think
about application security testing - download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------
