Passwords Pose A Problem
- Published: Sunday, 01 June 2008 08:00
Two years ago, I was coordinating focus groups at the corporate offices of a large bank. Towards the end of the day, I realized I needed more agendas.
THOMAS J. ROACH
Two years ago, I was coordinating focus groups at the corporate offices of a large bank. Towards the end of the day, I realized I needed more agendas. We went to the computer in a small cubicle where someone had printed the agendas earlier and discovered that the woman who sat there had logged out and gone home. Her name came up in the log-in script, but without a password.
A group of communication personal gathered as we tried to break into her computer. One person suggested possible passwords such as her dog's name and her birthday. Finally someone said, ìLook for a list of passwords on her desk.î
Now, I have a list of passwords on my desk at home, but this is a bank. No one, I thought, is going to leave a list of passwords (written on a piece of paper) on a desk. I was relieved when no paper was discovered but the list was quickly uncovered inside a desk drawer.
The list included more than a dozen accounts and passwords. We quickly got the computer running and printed the agendas. While distributing them, everyone admitted to having a list of passwords in or around his or her desk.
Perhaps I have criminal tendencies, but I couldn't help but wonder how many other bank employees had lists of passwords and how much mischief one could create by walking through the building collecting these digital treasure maps inside the 40-story high-rise? Suddenly I imagined that the cleaning staff all had mysteriously been given keys to the vault. I considered withdrawing my money and submitting a screenplay for a Keanu Reeves movie.
The ironic truth is that by requiring passwords of varying lengths and types, the techies who design our computer systems have actually made our information less secure. Instead of having to remember just one password (that someone might be able to crack with a sophisticated program and a lot of time), we often have old fashioned pieces of paper on our desks or in our wallets that could grant a thief access to all of our personal and company files, investments and credit accounts in an instant.
At Purdue University where I teach, I am required to have a password with numbers that I change every month to access my computer, and another password to access the Purdue intranet, and another for checking student records, and another for recording grades, and yet another for e-mail. At home, I have a list (written on old fashioned paper) that contains 67 different passwords.
My point is that password processes should not be left to the whims of software engineers. Those of us who have responsibility for communication need to point out that the cryptic business cultures we are building are counterproductive. If employees have so many passwords that they can't keep track of them all, then their most precious data is available to anyone with access to a few desktops.
I have three recommendations for corporate cyber-cultures: One, design a system that allows employees to log in once for access to all company sites for which they have clearance. Two, don't require employees to change passwords every month. Frequent password changes enhance the likelihood of predictable patterns of password selection and sticky notes on monitors, thus decreasing password effectiveness. Third, campaign against leaving lists of password lying around, in or on desks.
As communication specialists, we can write articles and orientation scripts that help employees select passwords, pointing out that qwerty, 123456, snoopy and password are not clever choices; they are actually among the most common and easiest to guess. The other extreme is a problem as well. U9gh945mngv09 is a bad password because it is hard to remember. We should recommend passwords that are memorable because they incorporate rhetorical devices such as repetition, rhymes or irony. We also might suggest not using obvious symbol substitutions, such as ì0î for ìo.î Password crackers are onto this tendency.
We can encourage our coworkers to be a little more creative. I have a few modest examples: Micr()hard, 4dpickup, tops, and Betty&oop. How about fr8car, or Roc!?