Burn the Passwords

At a party this weekend, a friend mentioned in passing the mechanism in which she regularly gives her password to a co-worker.  When I dramatically cringed, she regaled us with stories of the post-it note on her desk that contains the password of a system device that she needs to log into once every 4 months, but is changed every quarter – she calls up the manager of that box, who tells her it’s the same password as last time, except add 1 to the number – apparently they’ve been counting up the quarters – which doesn’t necessarily give her the password, depending on when it changed, which therefore continues to interrupt her workflow.

I somehow have been in a security bubble, where I assume everyone has modern password habits, rather than bragging about getting around them over beer.

Oh, I understand the quandary many systems users face:  IT puts so many obstacles in front of the systems that the individuals need to circumvent them simply to be able to do their jobs.  It happens, and then after a breach, the security folks tend to find out what circumvention holes they didn’t plug, and then set up more obstacles.

It feels like Oroborus eating his tail, from both sides of this loop.

Right now, the current how-to-do-it-right includes several explainable steps:

  • Passphrase rather than password for anything you *have* to remember – longer being better, and a sentence including digits and punctuation does tend to be easier to type then the computer generated random items.
  • Password vaults – if the office doesn’t supply one, get your own.  You can use that to store and log into all the various systems you need.  They can even generate the long, difficult passwords for you. Each system can easily have different passwords and you don’t have to either remember them or type them in.  (Don’t put your primary login into your vault – no sense it putting ALL the eggs in one basket).  Consider having one vault for home stuff and one for work, so you can share or shed the work vault when you move up in the world, but still have your home stuff separate.
  • Never share passwords – With an enterprise or team vault, you can “share” access without the secondary person ever seeing the password – great for delegating the office instacart ordering while you are on vacation.  How does this solve the problem, as no you have multiple people using the same login?  Well, as seen by the party discussion, that was happening anyway.  This just formalizes it, one knows who has access to it, and yet can revoke it at any time without even having to change it.  Hey, you can even do this with the Netflix account and your kids, and revoke access during finals week.

Then burn all the post-it passwords.