2007-06-06 10:52:40
passwords
Whenever I hear the usual rant about users having their password as a sticky
note on their monitors, my instant reaction is "It's your fault, you goob!"
I've worked lots of places where they've implemented a new "password security
process" which requires you to switch your password regularly and which prevent
you from using the same password for some ridiculous period of time and which
disallow dictionary-based words/phrases.
Hello, McFly? Which is better: my having an easily-remembered but
difficult-to-guess password that I never write down, or you forcing me to
change my password frequently and then write it down because your policy makes
me choose something obscure? My original password was fairly strong (a
combination of upper and lowercase letters and numbers that are meaningful only
to me) but when I'm forced to change to something new, it will be written down
somewhere until it's committed to memory. Can you say "counterproductive"? How
about "unintended consequences"?
Of course, I understand that a lot of these policies are based on out-dated
recommendations and come down from on high. However, it would be nice if those
making these "rules" to realize that most users have other things to do besides
remembering a constantly changing set of passwords. Oh, BTW -- my new password
is "theCIOsucks!" :-)