Security Anti-Pattern #1: The Very Secure Password

Our security department decided to change passwords of some "common accounts" (anti-pattern #2) we have at work on our load testing network. They started this process without letting anyone know and set the new password to "G2xi]$7jB;". This leads to security anti-pattern #1: The Very Secure Password.

A good password has to meet four criteria:

1) It must be easy for you to remember.
2) It must be hard for others to guess.
3) It must be relatively immune to brute-force attacks
4) It must be as secure as what it protects.

For a load testing password, "$scale2Day?" meets all four of these criteria. As it's meaningful, it's easy to remember. As it has punctuation and slang in it, it would make it harder for others to guess, and since it has some punctuation and mixed characters and numbers, so it's relatively resilient to brute-force attacks.

The new password fails the first test, so it risks being "kept" somewhere; written down on paper, emailed to other people, in a text file on your desktop or otherwise circumvented with ssh keys or "remember this password locally" (making our load test network as secure as your password). This makes people work around security instead of work with security.

This opens point #2 to a social problem. The old password was easy to remember. So if someone sketchy feigned forgetfulness, it was suspicious. Since the new one is nearly impossible to remember, it becomes extremely easy to trick someone into giving you the password since "they forgot". Also, if it's on paper or your desktop, or in your "Secret Passwords" mailbox, then it's listed way more places than before.

Of course it's less likely to be brute force attacked, but it's way more complex than it needs to be.

So before you go and change passwords based on some insane line noise criteria, remember those four rules of thumb. If you need something more secure, then consider two factor authentication choices (and steer away from PKI. Honest.)

[ All passwords are made up, and details are altered. If you really want our passwords, send me your resume, we're hiring! ]