passwords

2007-06-06 10:52:40

passwords

Whenever I hear the usual rant about users having their password as a sticky

note on their monitors, my instant reaction is "It's your fault, you goob!"

I've worked lots of places where they've implemented a new "password security

process" which requires you to switch your password regularly and which prevent

you from using the same password for some ridiculous period of time and which

disallow dictionary-based words/phrases.

Hello, McFly? Which is better: my having an easily-remembered but

difficult-to-guess password that I never write down, or you forcing me to

change my password frequently and then write it down because your policy makes

me choose something obscure? My original password was fairly strong (a

combination of upper and lowercase letters and numbers that are meaningful only

to me) but when I'm forced to change to something new, it will be written down

somewhere until it's committed to memory. Can you say "counterproductive"? How

about "unintended consequences"?

Of course, I understand that a lot of these policies are based on out-dated

recommendations and come down from on high. However, it would be nice if those

making these "rules" to realize that most users have other things to do besides

remembering a constantly changing set of passwords. Oh, BTW -- my new password

is "theCIOsucks!" :-)