Re: Why doesn't Amazon enforce a password policy?

[Tom Whiting <wolf () wolfstream net>]

Any time I run into organizations like this which require users to change their passwords every XXX amount of days, I 
leave. It doesn't matter HOW long I've been a customer of theirs, I simply leave. Why?

Firstly, this is an insecure method of doing things. Users choose their own passwords, for a reason. They shouldn't be 
required to change their passwords every 30, 60, 90, whatever days. If they do, there's more of a chance that it will 
get written down, which means that there's more of a chance that someone will "stumble across it", meaning that it's 
less secure than relying on the brain. Put all the "password recovery" systems in there you want, this is still going 
to get written down, and it's less secure

Secondly, this is an insult to your users. It takes something that is THEIR responsibility and makes it YOURS. It's 
like saying "I'm sorry, but YOUR passwords are too weak, OURS are better, you MUST abide by our password rules". No, as 
a customer, I must NOT. The internet is a large place, and there are PLENTY of individuals out there who aren't as anal 
as this about security. My money would simply go there.

Thirdly, this isn't about "security", this is about forcing users to use YOUR policies, which are outdated and entirely 
too strict. Unless you are processing government sensitive data, there is no reason you should ever force your users to 
change their passwords, ever.

Take a look at the leaders in this industry. Paypal, ebay, amazon, tigerdirect, newegg. Do they require users to change 
their password every XXX days? No, they do not. Why? Because they respect their customers, and allow THEM to choose to 
change their passwords. Do away with requiring a non alpha-numeric symbol if you have that, as well, because that's not 
"good password enforcement', it's the same as above.

Personally, I have set of 5-10 passwords that I have used for years. None of these compare to today's supposed 
"standards", yet they're all strong enough to be secure in their own right. I find it an insult when a site like this 
forces me to change something that I PERSONALLY know is secure enough, and have been for years.

Now, if you have proof that your customer's account is "hacked", or has been used without their permission, yes, by all 
means, force a password change. This should be the ONLY time, however, that this is done, not on a "whim", certainly 
not set forth by some security policy that will do nothing but annoy users.

In the end, why do these companies NOT force their customers to change their password every XXX days? They realize that 
there are plenty of other ways to enforce security, and this one, minor way will cause more grief than it's worth.



> There is a small war going on where I work.  I am trying to get a
> password policy enforced for our web applications and certain
> business leaders are opposing it.  There are two areas of
> opposition:
>
> 1. Minimum password length of 6 (currently 4, 6 was going to be a
> compromise). 2. Expiration of passwords (currently none).
>
> Strength requirements on the password content seems to be ok with
> them.
>
> These leaders compare our business with Amazon (a bit of a reach
> but we go with it for argument's sake) and their main argument for
> not enforcing a minimum password length and password expiration is
> that Amazon doesn't do it.
>
> How should I go about convincing them that Amazon.com is wrong and
> the fact that they haven't had a severe account breach is no reason
> not to implement a policy ourselves?  Or, to play devil's advocate
> with myself, if I'm wrong, why doesn't Amazon enforce a password
> policy?
>
> On a side note, the development work for implementing the policy is
> already done.  It was done as part of a separate project and just
> not turned on until this argument could be resolved so there will
> be almost no development cost associated with implementing the
> policy.
>
> Thanks for your feedback.
>
> James Strassburg
>
>
> --------------------------------------------------------------------
> ----- Sponsored by: Watchfire
>
> Hackers continue to add billions to the cost of doing business
> online despite security executives' efforts to prevent malicious
> attacks. This whitepaper identifies the most common methods of
> attacks that we have seen, and outlines a guideline for developing
> secure web applications. Download our The Twelve Most Common
> Application-level Hack Attacks whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Y
> Ti -----------------------------------------------------------------
> ---------

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan delivers new remediation capabilities, key regulatory compliance
reporting, and productivity enhancements that dramatically improve,
automate and streamline users' ability to quickly find, remediate and
manage web application security vulnerabilities. Change the way you think
about application security testing - download AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------