Why Some Password Security is a Waste of Time

Introduction

This is very off-topic, but a recent MSDN article and a paper it referenced got me thinking about password security in our organization.  If my maths is right, the costs of the way we do this are huge.

Changing Passwords Monthly

I work for a very large bank (it has about 300,000 employees, or did have before the banking crisis).  Until recently this bank forced us to change our passwords monthly.  We have two passwords: Windows and ‘single sign on’.  These are the internal passwords we use to do our jobs.  The Windows one is used to log on to Windows obviously.  The single sign on password is to access almost any other internal resource: the timesheet system, the project management system, the issue tracking system, the performance management system etc. etc.

So I had to change both these passwords every month.  Let’s say that on average I can invent a new password, commit it to memory, and enter the old one and the new one twice in 30 seconds, allowing for getting it wrong occasionally.  If all 300,000 employees spend that long changing their two passwords monthly I reckon we spent roughly 35 working years per annum on this (2 x 0.5 x 12 x 300000 / (60 x 7 x 240)).

Internet Companies DONT Make You Change Your Password

Now, I have a number of online bank accounts and none of them expect me to change my password regularly.  Nor do any of the shopping sites that have my credit card details.  The reason for this is that if someone gets hold of my password it really doesn’t matter if I’m forced to change it a week later.  The thief is going to use it straightaway if they are going to use it at all.  The security controls need to prevent them getting hold of the password in the first place.

So why do it for passwords in a big organization?  There are some reasons I can think of, but are they worth the cost?

To be fair, the bank has realized this and reduced the frequency with which passwords have to be changed to 90 days.  This obviously cuts the cost by a factor of three so we now only spend about 12 working years per annum on this.  However, my personal opinion is that this is a control that could be removed completely.

Passwords for Every Application with Timeouts

Another bugbear is that our ‘single sign on’is far from ‘single’.  Every application we use forces us to enter it separately, and they are all set to time out after a short period of inactivity, not exceeding 30 minutes.  This is mandatory as part of our security policy.  Because this password is used for all our internal systems we all log into them frequently.  I estimate I enter this password about 10 times a day, and I expect that isn’t far from the average for the organization as a whole.

The estimated cost if everyone is doing this, assuming it takes me 15 seconds to enter my password (including periodically mistyping the mandatory capital letter) is about 1800 working years per annum (10 x 15 x 240 x 300000 / (60 x 60 x 7 x 240)).  Ouch.

So our organization spends 1800 working years per annum just logging in to systems.  This is a global organization, so it’s hard to know what rate to use to work out the cost of that.  However, even at the federal minimum wage of $7.25 per hour that’s $22 million.  I suspect an accurate fully-loaded cost would be several times that.

There is some momentum for changing this, at least in our group, since the benefits of kicking everyone out of an internal system after a few minutes of inactivity are even less clear than for password changing.

Conclusion

An organization with 300,000 employees changing two passwords monthly spends about 35 working years per annum on this activity.

The same organization with a security policy that compels every internal application to use a password-based login, and then logging everyone out after a short period of inactivity, spends about 1800 working years per annum on this activity.

These are large numbers and it’s not entirely clear that the cost justifies the saving in terms of more secure systems.

I’ll write about C# and derivatives again soon.

Advertisements

One thought on “Why Some Password Security is a Waste of Time

  1. You’re right that changing a password regularly in order to reduce the amount of time that the password is available to somebody who’s gotten hold of it does not make much sense.

    There is another reason for changing the password, viz. to reduce the number of online guesses that can be made against it. Presumably your bank locks you out after something like five bad guesses and you then have to call the help desk and have the password reset. But if an attacker knows that you log in every morning at 9am, he or she can make four guesses everyday at 8am without locking out the account, and the counter of consecutive bad guesses will be reset to zero when you log in at 9am. So the attacker can make guesses at the rate of four per day with no upper limit. Actually, since you say that you have to reenter the password every thirty minutes, the attacker can make guesses at the rate of four every thirty minutes, or 64 per day, or about 2000 per month. Enough to crack many weak passwords.

    However, there is a much better way of thwarting this attack than requiring a periodic change of password. You can require the password to be changed WHEN NEEDED, rather every month or every three months. When is a change needed? When there have been too many bad guesses (not necessarily consecutive) against the password. So you can keep a counter of consecutive bad guesses and lock the account when it reaches a low limit, say 5; PLUS a second counter of accumulated bad guesses, non-consecutive, which is not reset when there is a good guess. When that second counter reaches a higher limit, say 30, you force a change of password. Most people will have to change the password very infrequently, if at all.

    I have recently been granted a patent, US Patent 8,046,827, on this idea. I would be happy to license it to your bank for less than what it costs to change the passwords every three months 🙂

    (You can contact me at fcorella at pomcor dot com, or using the contact page of my company’s site, pomcor.com/contact-us/.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s