Programmers are knuckleheads.
Password requirements have gotten completely out of hand. And the effect is LESS security rather than more. For instance, I use Rackspace hosting. For their admin site, they require my password to contain at least one capital letter, one number, one symbol, and to be at least 8 characters long. I called to complain about the ridiculous nature of these requirements and the customer service rep told me I could “just save that password with my browser” so I wouldn’t have to remember it.
Um.
HWAT?!?
They want their system to be secure, so they crank up the difficulty of their password scheme and then they outsource that security to the security of my laptop, which doesn’t have a password. That can’t possibly make sense to anyone. The system would no longer be secure.
It’s like, no matter how many studies come out that strong passwords are not the problem, the “security experts” (used incredibly loosely) continue to argue for “stronger” passwords.
At what point do we start learning squirrel?
Every once in a while, I come across a smart business with smart password requirements. For example, litmusapp requires 4 characters. That’s it. 4. Lousy. Characters. Are they crazy? How can that possibly be secure?
Probably, because they’re smart. Most likely they have systems in place that guard against brute force hacks. I’ll probably write more about that at some point, but I’m too lazy right now.
In the meantime, don’t be dumb and don’t be Dilbert’s boss. Be cool, like the Litmus people.
Tags: risk management, security
One Response to “Passwords gone wild”