Rainer Duffner wrote:
I think it should be no problem for the average employee to remember two or three complicated, but often-used passwords (with the help of a little paper-scrap in their purse, for the first week, maybe). I've got lot's of passwords (mysql-root passwords, passwords to access certain websites, normal root-passwords, etc.pp.) and I have to write them down in a file on an encrypted partition - if I don't use use them for some time, I just forget them. Those that I use often, I can remember usually well (I sometimes just remember the keys I have to type, but couldn't spell the password if I was asked for it) but the others...
If you have lot's of people who refuse to learn a 8- or 10-digit apg-password (or claim that they "can't memorize it"), I'd say chances are good the same people would tell somebody on the phone claiming to be "Joe Bloggs from IT" their current password - regardless of how complicated it was. I'd even go as far as saying that some of those might read the numbers from a RSA two-factor key to someone on the phone, if (s)he was convincing enough.
So, we're down to a social problem again: if people literally switch-off their brains during work, no technical hurdle will prevent them from doing something stupid. Social problems have no technical (or even judicial) solution.
You're thinking like a tech. You CARE about security. Frankly, the vast majority of your coworkers probably DON'T. They don't see it as their job to make sure the network/servers are secure. They view security measures as an impediment to getting their own work done. At any time, if they think they can get work done faster/easier by going around your security, they will. Your employees see you as Mordac, Preventer of Information Services from the Dilbert strip http://en.wikipedia.org/wiki/Mordac#Mordac Can these people remember highly secure passwords? Sure. But they don't want to. They have other things to worry about. Your salesman would rather be brushing up on his latest sales pitch or putting more oil in his hair, rather than work on committing passwords to memory. Your analysts are trying to keep data from a dozen different sources straight in their head to make proper projections. The secretaries would rather be chatting on the phone with whomever they seem to chat on the phone with all day. And the executives are lucky enough if they can find the power switch after coming back from their martini lunches. The point is that none of these people view security the way you do. To you, it's an essential part of the network and a vital part of your job. To them, it's taking up time in their day when they could be getting their own work done. The idea that security is everyone's responsibility has not sunk in. This is why people will blithely give up their passwords; They simply don't care. The key to good security, imho, is to make your workers lives as simple as possible. They less annoying you are to them, the more likely they are to work with you, rather than around you. This is why I like passphrases. They're more secure than simple words, but are far easier to remember and type than the "must be 8 characters and include at least two numbers, different capitalization, a special character, and must not contain a word, word fragement, or backwards word." (Yes, I've been at a place that had that policy) And, as you've pointed out, it's far more likely that the password leak is from the user telling someone their password than from an actual dictionary attack.