This is very off-topic, but a recent MSDN article and a paper it referenced got me thinking about password security in our organization. If my maths is right, the costs of the way we do this are huge.
Changing Passwords Monthly
I work for a very large bank (it has about 300,000 employees, or did have before the banking crisis). Until recently this bank forced us to change our passwords monthly. We have two passwords: Windows and ‘single sign on’. These are the internal passwords we use to do our jobs. The Windows one is used to log on to Windows obviously. The single sign on password is to access almost any other internal resource: the timesheet system, the project management system, the issue tracking system, the performance management system etc. etc.
So I had to change both these passwords every month. Let’s say that on average I can invent a new password, commit it to memory, and enter the old one and the new one twice in 30 seconds, allowing for getting it wrong occasionally. If all 300,000 employees spend that long changing their two passwords monthly I reckon we spent roughly 35 working years per annum on this (2 x 0.5 x 12 x 300000 / (60 x 7 x 240)).
Internet Companies DONT Make You Change Your Password
Now, I have a number of online bank accounts and none of them expect me to change my password regularly. Nor do any of the shopping sites that have my credit card details. The reason for this is that if someone gets hold of my password it really doesn’t matter if I’m forced to change it a week later. The thief is going to use it straightaway if they are going to use it at all. The security controls need to prevent them getting hold of the password in the first place.
So why do it for passwords in a big organization? There are some reasons I can think of, but are they worth the cost?
To be fair, the bank has realized this and reduced the frequency with which passwords have to be changed to 90 days. This obviously cuts the cost by a factor of three so we now only spend about 12 working years per annum on this. However, my personal opinion is that this is a control that could be removed completely.
Passwords for Every Application with Timeouts
Another bugbear is that our ‘single sign on’is far from ‘single’. Every application we use forces us to enter it separately, and they are all set to time out after a short period of inactivity, not exceeding 30 minutes. This is mandatory as part of our security policy. Because this password is used for all our internal systems we all log into them frequently. I estimate I enter this password about 10 times a day, and I expect that isn’t far from the average for the organization as a whole.
The estimated cost if everyone is doing this, assuming it takes me 15 seconds to enter my password (including periodically mistyping the mandatory capital letter) is about 1800 working years per annum (10 x 15 x 240 x 300000 / (60 x 60 x 7 x 240)). Ouch.
So our organization spends 1800 working years per annum just logging in to systems. This is a global organization, so it’s hard to know what rate to use to work out the cost of that. However, even at the federal minimum wage of $7.25 per hour that’s $22 million. I suspect an accurate fully-loaded cost would be several times that.
There is some momentum for changing this, at least in our group, since the benefits of kicking everyone out of an internal system after a few minutes of inactivity are even less clear than for password changing.
An organization with 300,000 employees changing two passwords monthly spends about 35 working years per annum on this activity.
The same organization with a security policy that compels every internal application to use a password-based login, and then logging everyone out after a short period of inactivity, spends about 1800 working years per annum on this activity.
These are large numbers and it’s not entirely clear that the cost justifies the saving in terms of more secure systems.
I’ll write about C# and derivatives again soon.