The Insecurity of Your Secure Password Policy

Let’s say you have a password policy that mandates passwords change every 90 days. Also imagine it takes 1-2 days for the user to get everything back in sync. They have their password manager, different web applications, maybe their iOS keychain…  You start warning people 10 days in advance. Also, you have systems that only allow passwords of certain lengths, and…  where was I?

What percentage of users do you think are using a password manager that randomly generates that password?  Don’t forget there are systems that people need to log into that don’t have anyway to directly insert from a password manager app.

Instead, you’re going to get a password progression like:

  • Puppies1!
  • Puppies2?
  • Puppies3!
  • Puppies4.

So if you have one set of compromised passwords, it is pretty likely that a WHOLE PASSWORD GENERATING METHOD is compromised for many users. The existence of a single digit and a single punctuation mark as above is a tell-tale sign of this. All an attacker needs to do is take those password patterns and increment or decrement the digit that comes with the password to try on other sites.

The extra burden of trying to come up with memorable but unique passwords so often is forcing users to dumb down their passwords.