Password: Impossible

My bank forced me to change the login password again; they claim it’s an automated procedure that happens every 90 days, but I know that it actually waits for me to remember the password and then immediately forces me to change it.

When I went in to change it, I was reminded of the draconic rules: it has to be at least 6 characters, with at least 2 numbers and at least 2 uppercase and 2 lowercase. These guys went to the security by obstruction school, no doubt.

I decided to fight back. As I finally got around to remembering this awkward strange password I had to pick 90 days ago, I decided I’m staying with it. So I changed it to something else, which I had to write on a piece of paper for fear of forgetting within 30 seconds (if you saw memento, that movie is about me. And I try to always order beers in bottles since seeing it), and I then went to the ‘change password’ section to change it back to my awkward-but-conditioned-to-memory password.

Naturally, the bank was trying to set me straight. “You can’t change back to any of your last 5 passwords” it told me with a grinning smile, giving me the solution right there. As you can undoubtedly guess, I returned the favor by changing the password 5 times to different things and then changed it back to my old one. I win. Next round in 3 months.

People will always outsmart security systems that try to force them into making the ‘right’ decision. What I’ve done today (and I’m quite proud of it, thank you) is being done every day by people who use their CD-ROMs as coffee trays and have never used any
program that didn’t automatically run when double clicking an icon.

But here’s what is really bothering me: What exactly is the attack scenario here? I would like to see the statistics that show how many attackers actually manage to capture a username and password and only fail because they try to use it after 90 days. While these huge numbers are crunched, please put on the Y-axis how many attackers found the password on a post-it stuck to the monitor because the password is so complicated to remember.

Or maybe so many attackers brute force the password, obviously hundreds of millions of times every day for a single account since there is a clear an immediate need for a long and complicated password (BTW, if this attack is possible, someone should tell me how to do it. I’ve been locked out a few times for failing to type the password correctly within a few guesses. I need a few guesses because I didn’t remember which was the current password, which, as you remember, changes every 90 days).

Being the cynic that I am, and having read enough security policy documents, I can guess why the password policy is the way it is: it’s easy to explain and justify, and it makes sense when showing in a powerpoint slideshow. I once heard from a high-profile organization that due to a successful break-in to their network they decided to tighten up security: all passwords now had to be 9 characters instead of 8. I’m guessing someone was promoted for this genius action, and there’s still enough room to increase it further when the next break-in comes (now that’s thinking ahead).

How is a complex password policy bad? Let me count the ways; It makes your user you enemy instead of your ally. It distracts the security people from the real threat. It gives a false sense of security. It encourages your users to find flaws in your security system and use them. What else? I had more, but somebody just came in the door and I forgot.

  • Anonymous

    I’ve had a similar experience where there was forced password changes and you couldn’t change it to the last X number of passwords. The way I found around it was for password checks they only checked the first 8 characters (old school styles) when logging in, so if you just change your password to ‘yourold8letterpassword + a bunch of random characters’ you could keep your 8 letter password.

  • Wade M

    Ahh, how I love paassword changes.

    When forced to change I usually just add a number to the end of it.

    Password1 is the first one, after 90 days it becomes Password2, 90 more, Password3, Password4, Password5, Password1. Very easy to remember for me(the user), and it fools the computers, as it’s not _the same_ password :) Security is often confused with the illusion of security we so often so.



  • growl

    In my company they do the same… every 30 days you have to change the password… and they start annoying you about it 15 days in advance…
    Now I’ve an handy script that change the password 3 times and then put back my previous pass… :)

    It saves the temporary password, just in case.. :)

  • Kasa

    I simple rule that control minimum password age could be enough to avoid the multiple password changing to back the old one live again.
    Besides that i agree with Aviram, how effective that police could be over the other tons of controls?
    Failed Logins control should be enough to avoid brute-force and even password guessing and if you got your password owned by sniffers, trojans, keylogger, shoulder surfing, and other kind of stuff a changing password policy of 90 days would not make any difference.
    We have always to think first what the effectiveness of the controls that we are implementing before do it. Sometimes it just bring difficulties in the user side and brings a hole bunch of other vulnerabilities.
    In Brazil major banks are using Tam Code tokens and that seems to be more effective to me than make the user to chance their password once a month (or every three months).

  • Someone

    I had a similar problem with my bank, luckily they don’t force me to change it every 90 days, but if you get locked out of your account (3 invalid login attempts) you have to change your password to something you havent used the last 5 times.

    One security feature they do have that I think works well is browser/connection checking, If I change ISPs or browsers it detects it and forces me to re-activate by phone or email. While this is a pain occasionally I feel it is a decent security measure.

  • Stephan

    One more reason why complicated password policies are problematic: They actually decrease the number of possible passwords thereby making a brute force attack easier.

  • Just Guess

    another nice “feature” is to use the password recovery of web sites to generate new passwords which you no longer need to remember, as you have an email from them with it :)

  • Jason

    I had a complicated way to keep my passwords handy while only needing to memorize a single password.

    For my network password (Windows AD), I used ( magnetic words to create a nonsense sentence using words with the first letter of each letter of my password. Also, I could change how I positioned the words to denote numbers and uppercase. I always used the same symbol at the end of my passwords, so I had to remember that, too (and it wasn’t an exclamation point, either).

    After that, I used Password Safe ( to store everything else.

    What happens if I forget my Password Safe pass phrase?

    I kept it stored in a PGP encrypted text-file. I’ve had the PGP pass phrase for almost a decade now, so I won’t be forgetting it barring a head injury.

    Convoluted, but it kept me from going insane over the passwords I had to rotate and remember and it kept me from writing them down.

  • Adam

    I think more security systems just need to develop a way to obstruct brute-forced systems…

    I know _my_ bank is great, upon 3 invalid password attempts (guesses we’ll call them) – they require you to phone up the banks 24/7 800 number (likely based in India..? lol, never had to call it) and get your account “unlocked”.

    This is a great system, since any brute force attempt is going to start from 000000, 000001, 000002, 000003, and by then you’d be locked out.

    Now keyloggers are a different story, no security is going to defend against those, except maybe biometrics (ey dude, lemme borrow your FINGER….lol, I think not…haha).

  • Amos

    Similar to Jason – I use pwman3 (only reasonable console-based password safe program I found so far, thought I would still love to hear about better ones) to keep passwords using a pretty strong master password I’m very familiar with.

    I use random passwords (run pwgen and pick one at random from the output, or pwman3′s random password generation).

    And for less sensitive web sites I use Firefox’ password manager with a master password.

  • Pingback: SecuriTeam Blogs » New record in ridiculous password rules