Recently, I wrote about my thoughts on why we feel like we have to force short-term password changes in the name of “security.” Since that time, Microsoft made an announcement to step in and help set its users (and itself) up for success with more stringent password requirements for Microsoft Account and Azure Active Directory. Sad it has come to this – a vendor doing what they must do to force people to use stronger passwords. We're devolving as computer users.
Shown in study after study, i.e. Ponemon, Verizon, and (especially) this insightful research from Rapid7: the basics are ignored, we cry out for newer and better security controls, government regulations grow – and, yet, nothing gets better. Apparently the information security basics such as weak passwords are just too much to ask for. Take for instance, the work Security, Accuracy, and Privacy in Computer Systems – a great book written by the late James Martin. It covers all sorts of security basics – what's needed and how to balance it all out. That book was written in 1973. We still can't get security right. Not even passwords.
So, what is the answer? Is it IT's fault? IT and security teams, and the executives heading things up are certainly complicit. Some ignore password vulnerabilities. Some have trouble getting their messages across. Others are afraid to say anything, especially given the predictable pushback from management. Users are on the hook as well. As much as we try to set them up for success through technical controls and awareness/training, at some point, they need to be held accountable. They're grown-ups and it's not like this whole computer password thing is something new.
Maybe we should continue down the path of making things more complex through regulations, lawyers, and technical controls that promise to make everything better. Ha! Not unlike attempts at failed social initiatives involving emotional responses to crises rather than due process, I suspect we'll continue down the path of more laws, more policies, more audits, and a growing false sense of security. Our current approach to passwords is not working. Maybe that's okay – perhaps someone else can figure it out down the road.
Mark Matteson was quoted as saying “Good habits are hard to form and easy to live with. Bad habits are easy to form and hard to live with. Pay attention. Be aware. If we don't consciously form good ones, we will unconsciously form bad ones.” With weak passwords – more than any other computer security vulnerability - what I believe we need is need is discipline. Discipline on the part of IT and security teams. Discipline on the part of users. Discipline on the part of management. That and some backbone to see things through over time (again, especially with passwords) until the challenges are resolved. Unless and until something changes in this area, I suspect we'll continue down this path of ignorant bliss and continued breaches.