NanoToolkit Blog

The Way to Keep in Touch.

The Tyranny of Expiring passwords.

It is pretty clear that initiatives such as OpenID have failed to gain any major traction in the consumer market. It is also clear that when it comes to enterprises Single-Sign on services such as Microsoft’s Active Directory do not have the ubiquity that they once did. Microsoft has tried to put forth and Azure Single-Sign in Service but that too has not gained any kind of momentum yet.

That all said we are left to have individual credentials for every major service we use out there. For instance in our personal lives we might have 1-2 Bank Accounts, 2-4 Credit Card Accounts, Mobile Phone Account, A Tax Preparation Software Account, School Account and Utilities Accounts. If that wasn’t enough we have a whole host of Corporate Accounts that have been provisioned for us as well. Some of us might have Travel Account, Procurement System Account, CMR Account, and Corporate Active Directory Credentials. Needless to say most of these applications do not use a common logon. Some of these services may require you to use your e-mail address as your username. But occasionally these Applications will explicitly bar you from using certain characters such as dots in your username.

As if that was not complicated enough the rules for passwords are far more difficult. Some passwords rules can be as follows

· Password Length (Normally at least 5-8 characters)

· Alpha Numeric Characters required

· At least one upper case character and lower case character required.

· Alpha Numeric and Special Characters required.

· No Special Characters Allowed (Normally companies that accept Telephone Passwords will have this rule)

We can further complicate the timeline by passwords that expire. A lot of businesses set a 90 days or 180 passwords expiration policy. In Addition your password can not be X Number of passwords that you have already selected previously.

This paradigm creates whole a situation by which every few weeks some password is either expiring or we can’t guess that password or so we are forced to reset it. This phenomena is one big feedback loop which contributes to our ever increasing pool of passwords in our memory that we must try. However, because of the frequency of attacks companies prevent you from having too many repeated unsuccessful sign attempts.

Figure 1: A Chart showing how often we need to reset or change our passwords.