Monday, October 7, 2013

Change my password?!?! Again?!?!

The following message is directed towards I.T. directors everywhere, and is brought to you by all of the people that you "serve"...

STOP MAKING US CHANGE OUR FREAKING PASSWORDS EVERY 30 DAYS!!!!

First, big-company I.T. groups brought you the "minimum password requirements". This little gem was designed to provide a reasonable helping of security so that folks wouldn't just use their first names as passwords. Next, they implemented a dictionary check to make sure that you weren't using a common word. OK. Then they said you also have to use at least 8 or 10 characters in your password. OK. Then they said you have to add a number to it. Then you had to have a CAPITAL letter, too. Oh yes, and now you have to have a special character (like %, $, or #) to further throw off the password moochers. So now, your password is something that not only can't be easily guessed, but something that's hard for you to remember, too.

No? You've found a way around this??? Cool! What did you do?  Did you capitalize the first letter and add the number "1" to the end? And maybe finish it with a "!"? Guess what? So did everyone else!  So now, the world is full of passwords with leading capital letters and trailing 1's, meaning that the difficulty in stealing them is greatly reduced anyway. Nevertheless, it's still probably pretty hard to compromise.

So, given that, why in the heck do folks need to change them every month or two? Especially with all the complexity of updating not only our laptops, but also changing our phones and tablets, you can lose a couple of hours just messing with your password every month. And then you have to come up with yet another password to remember. What? You found an easy way to deal with this, too???  Did you change that trailing "1" to a "2"? Guess what? So did everyone else! Are you THAT shocked? So if someone just happened to know that your password was Aardvark1, and now it's been changed, do you think they'll just try Aardvark2? I sure would. So a heckuvalotta good that monthly change is doing anyway.

Yet, HERE was the greatest travesty I ever saw. At a recent company, our I.T. group required that our smartphone 4-digit pins be changed every month. Right! Those 4 digits you use to unlock the phone every time you use it. To protect your corporate email, this was enforced by the phone so you had no choice. Also, the time that it took for the phone to lock was only 5 minutes, so almost every time you picked it up, you had to put your pin in, and remember which pin you were currently using.

Think about the insanity here. If some stranger somehow saw you type in your pin, they still didn't have your freaking phone to use it. But just to be sure, it wouldn't matter because you'd be changing that pin anyway in a couple weeks. Going overboard a bit?

Anyway, here's my parting gift to you. If you have an I.T. department that enforces crazy password rules, give yourself a secret thrill every time you login. Change your corporate password to something like "OurITd3ptSux!" or "Ih8ourEffingITgroup!" That'll show 'em!

Oh, and if you are IN the I.T. group, why don't you reconsider some of your nutsy rules?

No comments:

Post a Comment