Monday, September 29, 2014

Can You Remember my Password for Me?

Let's talk for a minute about bad password policies. In today's comic, some shady pythons are using social engineering to steal passwords and other important information from the unsuspecting frogs. But in real life, there are plenty of frogs and too many snakes trying to trick them. You are more likely to have your network compromised by a user falling victim to a social engineering attack than you are having a machine run some algorithm to guess a password.

And no password policy is going to fix that. In fact, it might make the problem worse.

Today I'm forced to create passwords that are terrible. Terrible in that I can't remember them. But they are "good" by someone's standards.
  • At least 12 characters long
  • Containing upper and lower case characters as well as special symbols
  • No dictionary words
  • No more than 2 of each type of character in a row
  • Has to be changed every 60 days
  • Can't be re-used for 6 years
  • Can't be remembered for more than 6 minutes
I lose hours of productivity waiting for someone from IT to reset my password every other month when it expires. But what are my other options? Write my password on a sticky note and put in on my monitor? That seems like a poor choice too.

Sometimes I forget the password after a month. Yes, after typing it in every day for a month, I can no longer do it. My fingers just want to mash random keys instead. I've had this problem as far back as I can remember. How far back is that? I forget. But for reasons I can't explain, I would forget my locker combination several times per year in high school. The combination never even changed. I had the same one all year. I just lost the ability to remember it every once in a while.

Today I can tell you the license plate number from my first car, but I can't reliably remember my passwords. I only had the license plate for 4 months, and it was 19 years ago. There is something wrong with my brain.

I really want to switch to randomly-generated multi-word passphrases (read this PDF), but unfortunately I don't set the security policy.

Amphibian.com comic for September 29, 2014