The password paradox

Shutterstock image: password security.

Password overload is weighing on federal workers, leading government security pros to worry about employees dodging security regulations (they worry about it more than their private-sector counterparts).

In a survey of 150 federal IT and security professionals released Sept. 9, Dell probed the state of attitudes toward security.

“I think it shows that sometimes the heavy-handed approach we take to security is too intrusive,” Paul Christman, vice president of federal at Dell Software, said of the survey results.

Too many passwords

While Christman noted that the “Platonic ideal” of security is a single sign-on, only 3 percent of federal respondents said the typical employee needed one login/password combination to do the job. Dell compared federal survey answers to a separate poll of 310 private-sector security professionals; 9 percent of the private-sector respondents said the typical employee had a single login/password combo.

Wrangling between two and five passwords was a far more common answer, given by 47 percent of federal and 58 percent of private-sector respondents.

But feds apparently face an increasing weight of passwords, with 34 percent of federal respondents saying the typical employee needed between six and 10 passwords (compared with only 16 percent for the private sector) and 3 percent of federal respondents pegging the level at more than 50 passwords (only 1 percent of private-sector respondents made that claim).

Another indication that feds are overburdened by security requirements is demonstrated by the fears of their minders.

Dell asked security pros what their organization’s greatest security risk was, and 32 percent of federal respondents said the greatest risk was employees finding workarounds to duck official security measures.

Only 21 percent of private-sector respondents said the same.

Not everyone should carry that weight

In a recent interview with FCW (prior to Dell’s survey publication), Marc Boroditsky, COO of the strong authentication firm Authy, decried the overreliance on passwords and skewered the idea that people should start lying about security question answers as a defense.

“This is the charade that drives me nuts. We put complexity on top of complexity, and call it security,” Boroditsky said. “Why is it the user’s problem to manage the weakness that is built into these systems?”

Boroditsky called for a “simple and modern” set of solutions that includes two-factor authentication and perhaps a single sign-on combined with deep user behavior analytics to notice anomalous behavior and trigger added security steps when suspicious activity is detected. Boroditsky’s example, for a utility: “This guy always pays his bills between 4 and 6 on weekdays, all of a sudden we’re seeing him at 8 on Sunday?”

Christman echoed Boroditsky’s suggestions, and added that the survey results spoke to a real problem within government and the private sector alike.

“Don’t blame the users for finding a workaround,” Christman said, making the case that good security shouldn’t keep employees from being able to get their jobs done.

Stop saying “passwords,” Christman urged, and start saying “identities.”

When identities, vetted by strong authentication, can be connected at the application level, organizations can lighten the password load on their employees, while maintaining vigorous security standards by tracking a host of useful data: user behavior, location, whether a device is encrypted, whether information is being downloaded or merely viewed.

“All of those things can be used to create a more robust and more appropriate risk assessment,” Christman said.

In the more perfect world envisioned by Boroditsky and Christman, the heaviest security strain is placed squarely on the shoulders of users engaged in the riskiest activities.

For everyone else doing normal, low-risk job activities, the load should lighten.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.