That isn’t like moving to Minnesota and then losing your mittens.
Instead, move to Miami and never need mittens!
Face it, passwords are pretty useless. If a human selected it, another human has a good chance of guessing what it is. If a computer generated a password that a human can’t guess, then a typical human can’t remember it accurately.
Draconian requirements for password length and complexity become self-inflicted denial of service as users can’t do their job and the help desk is tied up. Requirements for frequent change lead to ever more guessable patterns and faster depletion of Post-It notepads.
Password complexity rules don’t keep the bad guys out. The only thing accomplished by periodic password change is that when the bad guy guesses your password, he can only use it for a limited period of time. Unless, of course, he is clever enough to set up an alternative means of access, or industrious enough to complete his mischief within the next 30 days.
One theory is that we continue to inconvenience ourselves and lock ourselves out of our own systems with these fairly useless rules because they provide the illusion of security. Anything so painful to the legitimate user must be accomplishing something!
Defense Advanced Research Projects Agency (DARPA) has recognized this problem, and recently announced a research opportunity: “The Active Authentication program seeks to change the current focus from user proxies (e.g., passwords and CACs) when validating identity on DoD IT systems to a focus on the individual.” This program is to expand biometrics from the limited sense seen so far—intrinsic physical characteristics—to also include behavioral traits. It applies the term “cognitive fingerprint” to patterns of behavior such as inter-keystroke timing, eye movement when reading, and use of language including word and punctuation choice and statistical characteristics of message content.
These are areas of technology already being addressed for computational linguistics, including forensic authorship investigation based on semantic analysis. Inter-keystroke timing and mouse movement patterns are physical, but like the other patterns they get into mental processes and behavioral patterns.
Meanwhile, look at how IaaS cloud servers authenticate users to see another response to the password problem. For the most popular IaaS operating system, Linux, most IaaS providers entirely disable password authentication. There is no such thing as the root password. Authentication is only possible using cryptographic authentication, connecting from a host where the appropriate private key has been stored and accessed by an authenticated user on that system. This is considered best practice for *nix network security. Sadly, it is not found all that frequently “in the wild” on most organizations’ in-house servers, but it is pretty much the standard on IaaS Linux servers. This doesn’t fix everything, but it’s a great improvement.
If you’re interested in learning more, Learning Tree’s Linux server administration course has details on hardening your servers, and the cloud security course shows how to extend security into the cloud.