The Bottom Line: Passwords Secure Frustration

Digital immigrants have observed that digital natives, thanks to speed dial, don’t even bother to memorize phone numbers—the practice is not even on their radars. The immigrants needn’t worry. Another more crucial memory game has become an annoying, yet necessary, part of communicating: passwords. Whether opening a browser, checking email or shopping online, two pieces of information are required and should be memorized: username and password. Yelling “Open Sesame” at your computer, smartphone or tablet for access will not work. I’ve tried it.

The current practice of creating and using passwords is best described as an exercise in convolution. Security experts say passwords should not be dictionary words because clever minds can crack them with little effort. They should not include personal information, which can be obtained easily using social—and social media—engineering. They should include special characters and a mixture of upper- and lower-case letters and numbers, and they should be long … really, really long. By the way, users should have a different password for each account or website—but DO NOT write them down. On the corporate side, systems administrators should require company employees to change passwords every three to four months, and every 30 days for access to especially sensitive systems or information.

The reason for these requirements is simple: to protect your information. But what is the reality? Most computer users throw up their hands, rely on an easily memorized digital key to open the doors to their most-visited websites and rarely change it. Following the rules is simply too frustrating and difficult.

A Symantec-commissioned study earlier this year took the pulse of password use in the real world. The survey of more than 300 organizations with 1,000 to 20,000 employees revealed that hackers are moving from conspicuous malware and phishing attacks to insidious attacks using stolen passwords. (Yes, there are how-to videos about password gathering.) In addition, survey results verified that password policies have become so cumbersome and error-prone that password-reset requests comprise 30 percent to 50 percent of help desk calls. That’s a pretty hefty personnel expense.

Granted, Symantec has a pony in this race: it offers security solutions that are stronger than the username-and-password practice. But that doesn’t disqualify an observation that Atri Chatterjee, Symantec’s vice president of user authentication, made in reviewing the survey data. “The IT landscape is changing so dramatically and so rapidly that one in four organizations is requiring users to remember six or more passwords to access corporate networks and applications. And, as this Forrester study shows, that approach to authentication is collapsing under its own weight,” he states.

One commentator on an article criticizing the Symantec-sponsored Forrester survey agrees with Chatterjee but doesn’t believe the investigation has gone deep enough. “The study I want to see is the one that looks at the cost of cybersecurity—for example, the lost productivity arising from draconian privilege restrictions on work PCs and consequent need to tie up IT staff—compared with the cost of cybercrime. Or the effectiveness of cybersecurity such as requirements for passwords that are so ‘strong’ and have to be changed so often that … most people have to write them down, usually somewhere near their computer. Brilliant.”

Unfortunately, the bottom line is that until another solution to replace passwords is developed, we’re stuck with them—and not just the simple, easy-to-remember ones. And, while memory muscles will continue to be exercised, help desks and systems administrators will continue to spend valuable time and a considerable amount of money managing a security approach that has proved to be ineffective and difficult—if not impossible—to enforce.