We Can Require Passwords, But Who Forces Them To Be Good?

You know things are bad when you read a security survey that should be startling and uncomfortable and your reaction is a “so what else is new?” shrug. ‘Twas the reaction of quite a few security executives over the last few weeks, in the face of repeated surveys that the passwords consumers and retail employees choose are obvious and either written down or repeated ad nauseam.
The latest came Tuesday (Feb. 2) when Trusteer reported survey results claiming that “73 percent of bank customers use their online account password to access other websites, and that 47 percent use both their online banking user ID and password to login elsewhere on the Internet.”
None of this surprises anyone in the business because it’s well known that the weakest link in security is the employee and the consumer, who happen to be the people that generally care the least about it. And the periodic efforts to force better security at that level invariably fail, sometimes because of the effort itself.
For example, a company can automate rules for choosing passwords and require that they be changed periodically. But the stronger the password, the more it will fuel its own failure. Let’s say it requires that passwords be at least 11 characters, includes numerals and characters and non-traditional characters (&%|@#~, etc.). Add on top of that a rule that no characters (continue reading...)