It may be Halloween, but for thousands of corporate IT users there’s another reason today inspires fear: it’s time once again for the mandatory end-of-month password change. Few common IT policies drive users to distraction as regularly and reliably as the aggressiveness of enterprise password policies.

But with more potential threats to enterprise security coming from external sources that take advantage of the users’ accounts once they’re already logged in, do byzantine password policies really do anything to protect corporate data? In some cases, the password policy may create a bigger security threat than the risk of a password being guessed.

The password problem

Passwords are still important, but the value of aggressive password policies as security against unauthorized access is questionable, said Andrew Marshall, CIO of Philadelphia-based Campus Apartments in an interview with Ars Technica. “Statistical attacks—repeated attempts at guessing a password using hints or a dictionary—are unlikely to yield results, provided that the enterprise system implements a ‘lockout after X incorrect attempts” policy,” he said. “Enforcing tricky complexity and length rules increases the likelihood that the password will be written down somewhere.”

Even strong passwords don’t prevent breaches. Scott Greaux, a product manager at Phishme, a security risk assessment firm, said that most recent data breaches have been the result of social engineering attacks like phishing. “Every major breach has been initiated by phishing,” he said. “Password controls are great. Mature authentication systems enforce strong passwords, and have reasonable lockouts for failed login attempts, so brute-forcing is increasingly difficult.”

But, Greaux says, the weak link is a user’s trusting nature. “I could ask people for their strong, complex password," he added, "and they’ll probably give it to me.”

If users aren’t writing down or giving up their password, many just forget them, increasing the workload on help desks. Adam Roderick, director of IT services at Aspenware, tells Ars that he frequently hears from client companies that a quarter to a third of all help-desk requests are the result of forgotten passwords or locked accounts. Despite the availability of self-service password recovery systems such as those from ManageEngine, “I do not see much investment from corporate IT in password recovery tools,” he said.

Roderick said single sign-on systems could significantly reduce the problem, since users’ frustrations usually come from having to manage multiple passwords.

But many companies have no desire to implement single sign-on systems, and some see them as a security risk rather than an aide. In an e-mail interview with Ars Technica, John Biglin, the CEO of IT consulting firm Interphase Systems, gave an example of one client’s password nightmare. “We have a client where the users need regular access to five or six systems that require passwords,” Biglin said. “The firm has an aggressive policy that includes a complex password requirement—the password must include mixed case, numbers, and special characters; the passwords cannot be reused for 12 [changes]; the passwords must be changed every 60 days, and 30 in some cases; and three failed attempts lock the account, with no self-service reset capability.”

The company’s IT team has “had no desire to implement SSO,” Biglin said. And the password policy is enforced across all systems, regardless of how often they’re accessed, “so if you don’t use a particular system often, you can count on needing to call the help desk every time the user attempts to access it,” he added. Biglin said that the client’s security team believes that this “hard core approach” keeps their systems safe, but “what actually happens is that many users now write down each of their passwords on a Post-It, a notebook on their desk, or something under their keyboard.” Some even keep passwords in a spreadsheet on their laptop, so if one of their passwords is compromised, hackers could have access to all of the corporate systems.

A better policy

So just what is a good password policy? It depends who you ask. Biglin suggests complex passwords, changed two or three times a year, and the use of a self-service password reset option.

Marshall thinks regular changes are important if only to avoid the problem of password reuse outside the enterprise. “It’s tempting to use the same password as ?your enterprise account’s password,” he said. “If the password changes frequently, ?you’re less likely to use it externally.” He thinks what’s more important is teaching users how to create passwords that they can remember.

One of those methods is to use a passphrase rather than a password, a method illustrated here in Randall Munroe’s comic xkcd: