So, I recently learned of an organization that is imposing new password parameters. You might want to sit down for this: the password MUST contain 3 uppercase letters, 7 lower case letters, 2 numbers and 5 special characters. Secure, right? Wrong. It’s this kind of password policy that guarantees you will find each user’s password on a sticky-note under the keyboard.
Or, how about this; client A sets up some very convoluted access policies for their systems at HostCo. Keys to the cages where their servers are kept are in safes that require a combo lock and a key to open. The armed HostCo guards have the safe combo while the HostCo SysAdmins have the safe keys. Sounds pretty secure, yes? Not really – it only takes compromising one employee of one company to get to the systems (you can probably figure out which one).
I am certain that you have also experienced “security” measures that give the illusion of security but really are only overly complex. This is a real danger to your data’s security. The more complex you make a process or procedure, the more likely someone will find a way to circumvent it while creating the illusion of compliance.
Let’s take the password example - according to their standards, the following is perfectly acceptable:
According to Microsoft’s password checker, this is a very strong password and it’s easy to remember. But, is it really secure? Not if everyone uses it or if someone is looking over your shoulder (the key strokes are VERY easy to follow).
According to the same checker J@ySm1th25896! is just as strong. If I am Jay Smith and my ZIP code is 25896, it’s easy to remember and is not as easy to follow if someone is looking over your shoulder.
The point is that security measures can be strong and not involve the Headless Chicken Dance.