Echoes from the Computer Room: Circle of Passwords

Chances are if you work at a company involving computers passwords are going to be a daily part of your life. And if you have passwords more than likely they will expire. As a person who spends a great deal of time resetting and unlocking password on many a Monday morning let me tell you this can get very aggravating. (Apparently there is a big reset button somewhere that gets pressed every weekend and makes people forget their passwords. So help me if I find the one hitting that button…) But I think there is one part of the password deal that trips people up really bad, remembering passwords.

Now I’m not talking about users remembering their passwords. No I’m talking about systems that remember passwords so when it comes time to change passwords you can’t reuse certain things because the system recalls what you’ve used before going back so far. So how do we get around that? What I like to call a Circle of Passwords. Allow me to explain.

Let’s say you have some sort of program or software that remembers your last few passwords and even what characters (by characters I mean letters A-Z and numbers 0-9) were in what place in your password. When it comes time for you to change it you try to use a character in the same place as before and the system recognizes this and tells you you can’t do that. Just what are you to do? Set up a series of passwords that conform to the rules of the software at hand and then just keep them up in a constant rotation so you will always have an available password that you know will work so you don’t waste precious work time calling for support. Here is an example.

For instance let’s say we have a program that remembers the last 8 passwords you used in addition to the one you are currently using and said password expires every 60 days. Your circle of passwords will need to be x+2 where x is the number of passwords the program in question remembers. So here we need 8+2=10 passwords.

So imagine you’re on the first password of those 10 (like you’re a new user). You would start with that first password and every 60 days you would go on to the next one. Once you get to the 60th day of your 8th password you’re gonna do something a bit different. You will still change to the 9th password but instead of going about your day and waiting for day 60 again you immediately change to your 10th password and then immediately change back to your first. I’m sure you’re wondering why all the changing. Here’s why.

As I said this program remembers the last 8 passwords you did and the one you’re on now making it 9 passwords in all. When you get to the end of your 60 days on the 8th one you may want to go right back to the 1st one again but you can’t because:

Password 1

Password 2

Password 3

Password 4

Password 5

Password 6

Password 7

Password 8 – If you try to go back to the 1st one the system will remind you that it still remembers the 1st one. So the goal is to make the system forget that 1st one so you can go back to it. Instead change it to your 9th one.

Password 9 – From here you may want to go back to that 1st one but you still can’t because the system still remembers it plus the one you’re on now. Instead change it to your 10th one.

Password 10 – Now from here you can go back to the 1st one because even with that ability to recall your last 8 passwords and the one you’re on now the system can only recall password 2-10, meaning that it has finally forgotten the first one.

And when you change it back to the first one the system will only recall passwords 3-10 and the 1st, leaving the 2nd one open. The goal here is to have never-ending Circle of Passwords where every time you change your password the next one you will use is freed up to use.

It can be a bit tricky I know. Actually very tricky, I have a system at my job that not only recalls your last 8 passwords but also when you try to change your password it will check the characters in the positions of your new password to make sure you didn’t have character in that position in one of your last 8 passwords. So to use the example above if I had the letter “a” in the second position of my 2nd password when it comes time to change it will actually check the second position of the last 8 passwords to make sure I didn’t use the letter “a”. But if you can manage to make a circle of x + 2 passwords (where x is the number of passwords the system will check back on) you will be in prime shape.

Advertisements
This entry was posted in Computers and tagged , . Bookmark the permalink.

6 Responses to Echoes from the Computer Room: Circle of Passwords

  1. Daran says:

    Why don’t you take the advice of one of the most respected security experts in the business: Choose a good password, then write it down.

    • Danny says:

      Oh yeah that is good advice Daran. But at I said in the post this isn’t about people not being able to keep up with their passwords (although that seems to be a problem in itself) but about systems that force you to change your password in a regular basis. So to apply your recommendation one should choose x + 2 good passwords (where x is the number of passwords the system remembers you used), write them all down, and use them as needed.

  2. A.Y. Siu says:

    The problem with any password policy is that you always trade security for convenience or vice versa.

    If you force people to change their passwords often and have different passwords for the next 9 times, then that means you’ll have a lot more people forgetting their passwords, which means you’ll have a lot more people asking you to reset their passwords (and also a lot more pressure to allow for simple, easier to remember passwords).

    If you don’t force people to change their passwords, it’s more likely their passwords will get cracked.

    I think the best tactic for an IT department to keep things secure is to teach people how to have secure passwords that are also easy to remember, and to show people how easy it is to compromise networked computers that have insecure passwords.

    • Danny says:

      The problem with any password policy is that you always trade security for convenience or vice versa.
      True. Put that on a larger scale and you end up with the constant debate over whether national security (I’m speaking about the States as I’m not sure what country you are in) is worth having our freedoms encroached upon.

      I think the best tactic for an IT department to keep things secure is to teach people how to have secure passwords that are also easy to remember,…
      Oh if it were only that easy.

      …and to show people how easy it is to compromise networked computers that have insecure passwords.
      You would be amazed how impatient people can be. If you’ve worked in IT then I’m sure you have felt the position we are often in. The upper level management wants us to make sure everything is tight and secure…as long as it doesn’t make things harder for them. And then have the nerve to get on our case about spending so much money (which I think is more about the fact that IT departments very rarely generate revenue but spend quite a bit, and its quite easy to forget we are spending all that money on everyone else in the company). This is frankly why the higher up I look at the food chain of my company the less I like the people occupying it.

  3. GallingGalla says:

    Right, so you’re expecting someone to remember 10 good passwords. Now suppose someone has 10 different accounts – not at all unusual in a corporate setting especially if there’s no single sign-on. How is it reasonable to expect people to remember 100 passwords? (because, after all, people should use different passwords for each account, yes?)

    Now for my personal accounts (which are well over 20), I use KeePassX so that I don’t *have* to remember passwords (more accurately, I only have to remember one password, which I use in combination with a keyfile) or worry about a “circle of passwords”, but how many company I/T will permit users to use KeePassX?

    It is unreasonable to expect anyone to remember that many passwords, especially highly secure ones. It’s an unreasonable expectation that winds up compromising security because there’s no way that anyone other than a walking dictionary can comply. So you’re *forcing* people to use weak passwords, or to write passwords down, or to use password managers; then, these very people are then *blamed* for (and sometimes fired for) said poor security. In the meantime, no one is doing the work to make single sign-on, or even multifactor login (password plus a token) a reality, nor is anyone seriously making biometrics a reality when the technology for eye scans, fingerprint scans, etc has been around for at least a decade.

  4. Danny says:

    Right, so you’re expecting someone to remember 10 good passwords. Now suppose someone has 10 different accounts – not at all unusual in a corporate setting especially if there’s no single sign-on. How is it reasonable to expect people to remember 100 passwords? (because, after all, people should use different passwords for each account, yes?)
    Allow me to address this with context. I am speaking from the view of a company in which this one system I speak of is one of only about 4-6 they would need a password for. Of those 4-6 this one is the only one with such complicated.

    …but how many company I/T will permit users to use KeePassX?
    I can tell you from my experience that its ultimately not up to the IT department but up the Senior Management (possibly even the Board of Directors) and more than likely the Audit department will have their say on the matter.

    In the meantime, no one is doing the work to make single sign-on, or even multifactor login (password plus a token) a reality…
    We’ve brought that one up before and it seems to never to anywhere because one of systems (the one I mention in this post) has a set of qualifications that is handed down to us.

    In short despite the Dilbert cartoons that paint up IT departments as gatekeeping jerks that get pleasure from the pain of other employees its not that simple.

Comments are closed.