Digital Domain – A Strong Password Isn’t the Strongest Security – NYTimes.com.
I agree with most of this. It should be MY business to choose a good password, and IT’s business to keep their system secure if I choose a bad one. It is not my job to make their job easy. I am so tired of sites that make me formulate a specific kind of password:
- more than n letters
- NO more than m letters (as if storage space for ASCII characters were at a premium)
- MUST have letters, numbers and special characters
- MUST NOT have special characters
- MUST have upper and lower case
- yadda yadda yadda
If you have multiple accounts with multiple groups (as most people do these days) you end up needing to write these down, or relying on the “I forgot my password” link.
Truth is, those sites that let you know the “strength” of your password as you type it in without forcing you to do anything are MUCH more likely to encourage people to create better passwords than the ones that piss people off by forcing all kinds of contortions. (See the book: Switch).
IT folks take note: If your system is unable to protect itself against some schmuck who lets a stranger guess his password and log in, YOU SHOULD ALL BE FIRED. If your system allows ordinary users (like the aforementioned schmuck) the kind of access to your system that will permit access to sensitive system data, then YOU are not doing YOUR job right.
I worked at a place last year that upgraded their file system and INSISTED that everyone change their password. Not only that, they checked that new password against the old one and refused to allow me to re-use my old one. As far as I’m concerned, they have NO business storing my old password and checking. That amounts to little more than an IT power trip – they do this because they CAN, not because there is any evidence that it improves security.
Actually when it comes to that, most of what an IT department does in the realm of security is done for one of two reasons:
- They CAN.
- It makes THEIR lives simpler.
Try this game sometime: Ask your IT guy to show you the evidence (stats, reports, numbers) that what they are proposing/requiring will actually make things more secure. They rarely can.
Really, if you want to encourage people to create reasonably secure passwords, run a password checker from time to time, and send mail to people whose passwords are too easy to guess. If faculty don’t change their password after, say two or three warnings, then announce it ‘publicly’ (i.e. within the faculty mail system).
And by the way, I should be able to use ANY character on the keyboard in my password including blanks. The only exception I can think of is the “return” character, because you still need some way to mark the end of your password.
I remember being a part of the SixApart/LiveJournal community, when they tried enforcing password changes and guidelines. I’ve worked for companies that did the same thing. My phone provider just stopped doing it (about a month after I told them this policy was backward and dangerous).
Here’s what happened: people used (or re-used) incremental passwords, vocalised gobbledegook, or wrote them on paper, keeping them (at least temporarily) where they are observable.
Here’s the solution: stop letting people effectively brute-force your system.
Am I wrong? I’m a neophyte at this, but some basic character manipulation, a timer, screen- and key-guards, and some log-on penalties should do it…