TheUKDave

Is it possible to make a system too secure?
Yes. Yes, it is

I've worked in places where IT (either an in-house or outsourced department) make it so hard to choose a password, and/or so hard to update a password, and/or limit every user's access so much, that it's an open joke how inaccessible the system is. The system being used may or may not be trivial, the key thing is that security is getting in the way, and forcing people to work around it. Thus follows a real life example of a totally broken system of security ...

We have a system that users need to access, and we need certain restrictions for some users. Obviously therefore, we need to force users to make 'strong' passwords, that have to contain certain characters, can't contain others, need to be of a certain minimum and maximum length, has to be updated every 3 months, can't have any string of 3 or more characters that related to their first name, last name, job title, department, previous password, etc.

Boom, good security has just gone bad, and you've just created a system that basically no one can log into after the initial 3 months.

So then what happens? Soon you will have a bunch of staff that can't access a necessary system, and people are complaining that they can't find a password that fulfils the criteria, and/or they did find one, but it was so obtuse that they've forgotten it.

And then what happens? You have a manager in Department X that has moaning staff, and is losing productivity. So that manager decides that they'll take the hit for the team, and change their password every 3 months, and then write that password up on a whiteboard so that everyone can log in as them - thus 'solving' the problem. It's shocking, but it's totally understandable!

The reason this is so absurd, is that you now have the worst of both worlds. Not only can any user access resources that perhaps they're not supposed to, but you don't even know who's accessing what resources, because most of the traffic is from one user.

The important thing here, is that security isn't a one-size-fits-all affair, it's unique and individual to each situation. In actual fact, in certain situations, the above example might not be so horrendous. For example, if the system in question doesn't really need auditing of individual usage, and is largely just designed to keep out the general public (and you have physical security to prevent the general public accessing the whiteboard), then it's actually OK, perhaps even desirable. It's when you have processes that are being circumvented by users due to the security you've put in place, that you shoot yourself in the foot.