Bowie didn’t seem to like changes much at first. He went down “a million dead-end streets,” and knew “every time I thought I’d got it made, it seemed the taste was not so sweet.” Change is always disturbing on some level, especially when it’s prompted by an email from your favorite online retailer telling you to change your password now because of a security incident. Amazon is the latest in a string of folks asking us to reset passwords. The question we have to ask ourselves is: does this sort of bulk email going out to users represent an effective security tactic?
Another way to ask that same question: how effective is it to ask a human to change passwords? One obvious answer is: what else are they supposed to do? They could force an invalidation of all the affected accounts so users must reset their passwords the next time they log on. But that’s where Amazon would run into the well-known crossroads every security pro knows well. It’s the place where user experience and good security become a fork in the road.
Amazon is lucky because if you asked most users of Amazon if they felt they needed to keep their Amazon account safe, they would likely say yes. It’s got credit card numbers, addresses, and a potentially bizarre shopping history at stake. The risk to the user is clear and present.
The question this brings up for all of us as IT security pros is: how do we get users in our organizations to feel that same clear and present danger about maintaining passwords and other security credentials in the office? There’s nothing like the threat of someone knowing every item you ever put on a Wish List at Amazon for the last 20 years to motivate you to act. For a business, there are potentially much more embarrassing secrets and information at stake, but users don’t often feel that as viscerally.
They’re The Government, And They’re Here to Help
They may not be your government, but the UK government did take a crack at comprehensively answering some of these questions. They’ve actually reorganized both the administrations involved and also reorganized their thoughts on the topic a bit since then. The observation they made that got a lot of attention was that forcing users to change their passwords too often will result in worse security because people will make up bad passwords. We made sure to distinguish between end user and privileged passwords in retort, but in the end their ideas do make a point.
The key to understanding the good point they make is in the method of changing passwords they are talking about. They are talking about what happens when you put humans on the front lines. If humans are made to change passwords manually too often, laziness creeps in and they do a poor job of it. There’s no disputing that. It’s well documented (you can see that in their research to start with). They are reacting to a trend where IT admins in organizations with the power to do as they please put an undue burden on users to change passwords far too often. Since those passwords were key to getting their jobs done, they had no choice. And the bad security effects were measured from there.
As They Try to Change Their Worlds
On one end of a spectrum you have organizations going wild with password change policies. On the other end you have places like Amazon. Here the customer is always right and the security folks are well trained to stay in their place. So you only see these password changes forced, no… suggested when there is a specific threat. Even then they are only made to a set of users – not all.
We’ve already sided with GHCQ that changing passwords too often is a bad idea. We’ll absolutely say that only (suggesting) changing passwords under a specific threat is also a bad idea.
Good ideas are all around us. As we stated the last time we talked about the password policy at GCHQ, things like two factor, expiration and other now standard password security side orders are all a welcome improvement. The other key concept here is automation. Of course, you can trust your friendly, neighborhood Lieberman Software-man to automate the process of changing passwords for you in your organization.
As a consumer, there are also systems you can employ – and it’s highly recommended to use one. Even though some of them have had very visible problems, it’s still better to have them automating changes for you rather than simply hoping everything will just work out OK.
If you have passwords, and you know you do, you’re going to have to face Ch-ch-ch-ch-Changes. Don’t let it be too scary. “Turn and face the strange,” and get comfortable with automation helping you out. Turn on that two factor authentication feature. And make sure you stay on top of changes before they stay on top of you.