One of the first questions any information security audit asks is, "What is the password policy of the organisation?". The auditor is looking for the enforcement of strong passwords (mixed-case alphanumeric, longer than eight characters) and regular compulsory changes, so this tends to be the type of policy rolled out across the organisation (for logon passwords at least), writes Paul Maloney, CISSP, managing director of Technology Management and Consultancy.
If you work in the IT department of a reasonable sized company you will be familiar with requests to the service desk for password changes following holidays, long weekends, enforced changes, or the Monday morning after the Friday night. Do you log, track and analyse these requests, because contrary to the belief of service desk staff, people forgetting their password are not necessarily just "typical users".
A user who consistently has problems remembering their password may have a learning difficulty such as Dyslexia or poor recall. If this is the case, the problem is not the user, it is the company's password policy. Security should be an enabler of technology, not a method of separating the more capable from the less capable.
Some people find it easier to remember a long string of numbers than a traditional strong password, and there is a mathematical argument that you can set the length of a numeric-only password so that it is as resistant to brute force attacks as a mixed-case alphanumeric one.
Passphrases can help people remember their logon credentials, but they can also show up people's typing abilities. If passphrases are used with lockout after so many failed attempts, the service desk may see an increase in password reset calls as the poorer typists in the organisation struggle with what are probably longer logon passwords.
There has to be a midway point between strong security and user friendliness of logon security, but it is important that IT people do not decide where that midway point is. IT people are used to passwords, used to technology and normally fairly competent typists, so if they set the password policy based on their knowledge and experience it will be a struggle for more of the users.
If your organisation has a person or department who has responsibility for disability discrimination, talk to them about how the password policy may impact on people who struggle with technology or long strings of text. They may already know of people in the organisation who are being affected by it and be able to offer guidance.
A lot of technology is available to help people with disabilities participate in a normal working environment, but this technology can become useless if the security systems are not receptive to changes to accommodate individual requirements.
Extra training for service desk staff can also help as they can be trained to ask the questions that might indicate someone is struggling with the security rather than just being forgetful. The next time the service desk gets a phone call from a user who has forgotten their password, perhaps instead of saying "must have been a good holiday" they could ask "is there anything we could change about the system that would help you?"
This was first published in April 2010