When Doceus made me change my password every 30 days, I was annoyed and starting using month names. That lasted about 3 months until Harry used a password cracker and told me that "november" was not an appropriately complex password. I changed it to november01 and was not hassled again.
In the years since, I've been fighting a losing battle against stringent password policies. I've come across policies that make me long for the simple Doceus rule of "just don't use a dictionary word."
DOD has just mandated that all admin account passwords must be at least FIFTEEN characters. This is on top of the use at least 2 numbers, 2 special characters, 2 caps and 2 lowercase rule (and the can't be one of your previous 30 passwords rule). Homeland Security goes even farther by saying that you MUST start and end with a letter (why??) and that no two characters can be repeated consecutively. Also, they limit you to an 8-16 character range (again, why only 16??).
The most brilliant password policy ever is documented here:
http://support.microsoft.com/kb/276304/en-us/
Now you might be asking yourself WHY I'm such an anti-stringency advocate... Aren't secure passwords a good thing? Of course they are -- I think using "november" was pretty naive of me. But the new wave of "secure" password policies has brought us to a point where most users have no choice but to write down their password somewhere. When your password changes every 30 days and follows 80 different rules, it's nearly impossible for many people to remember.
Furthermore, while it's nice that the password can include numbers, special characters and uppercase, forcing it to contain a specific number of them, limiting the start & end characters or specifying consecutive character rules REDUCES security. The number of permutations required to crack the DHS password is actually fewer if you know that it must start with a certain character or that "a" can never follow "a."
What silly password policy are you following? |