Benjamin Franklin, one of the Founding Fathers of the United States, once said: ‘Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.’ You realize, of course, that I’m talking about vital and fundamental issues today. Do I mean a researcher’s freedom or the environmental impact of campus development? No, it’s even more important than that, namely the password requirements that IT imposes on your WUR account. Every three months you get a warning from WUR IT: ‘This is to remind you that your WUR password expires in five days.’
If you’re anything like me, you take a favourite character from a book and you get AnaSteele1!
Like everyone else at WUR, I then try to come up with a new password within the painfully narrow limits (no previous password, no combination of two letters that are also in your account name, must include upper case and lower case letters, numbers and symbols, more than seven characters and no spaces). If you’re anything like me, you take a favourite character from a book and get ‘AnaSteele1!’. But by the time you’ve worked or studied at WUR for eight years, you’ve been through 24 passwords. Someone who’s been at WUR for 30 years now needs ‘Katniss12345!!!!!’ to get into their mailbox.
Big deal, do you say? Stop whingeing, Campsie, just get yourself a password manager. But a password manager makes a mockery of the change of password, because all a cybercriminal has to find is the password to your password manager (‘Guido1’). To prevent this, we now have MFA, multi-factor authentication. So if I open my laptop at 8:59 for a meeting at 9:00, I must not only remember my password (‘BellaSwan12!!), but then unlock my phone (‘1234’), open the authenticator app, give the Microsoft code– and go through this whole process again for every WUR application. And the icing on the cake is that you always spend 10 minutes wondering why on earth you haven’t got access to Eduroam on your laptop: you forgot that you changed your password at the weekend after the final warning from WUR IT, so you can’t get onto the internet.
Hence my appeal in the interests of more freedom and just as much safety: WUR IT, can’t we just have a simple, stable password? After all, we now have MFA. And if you don’t trust my cybersecurity credentials, have a look at Microsoft’s own Password Policy Recommendations:
- Don’t require character composition requirements.
- Don’t require mandatory periodic password resets for user accounts
Password expiration requirements do more harm than good because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.
Guido Camps (39) is a vet and a researcher at Human Nutrition and OnePlanet. He enjoys baking, beekeeping and unusual animals.
Also read: