Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

Stupid Policies, Not Stupid Users.

[Hank+Reardon]

What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.

For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.

I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.

The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.

What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.

I wish we'd switch to RADIUS.