Slashdot Mirror

← Back to Stories (view on slashdot.org)

Please Do Not Change Your Password

Posted by CmdrTaco on from the my-password-is-trustno1 dept.

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

4 of 497 comments (clear)

  1. Please let me use the same password by Hatta · · Score: 5, Insightful

    We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Please let me use the same password by oldspewey · · Score: 5, Insightful

      And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
  2. Re:Password aging isn't in touch with the real wor by ConceptJunkie · · Score: 5, Insightful

    And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..

    --
    You are in a maze of twisty little passages, all alike.
  3. Re:Please fix your systems! by MobyDisk · · Score: 5, Insightful

    Amen! The concept of "password" is obsolete. Just never use it. Say "passphrase" and watch the light bulb go off as people realize it is easier to remember *and* more secure.