Is policies for password really useful
This argument is discussed in the excellent book “Why Software Sucks“, password policies are really useful?
I give you my opinion. I have really a lot of username/password ranges from my home banking account to various sites like, flickr, dotnetkick etc etc. My problem is that the amount of passwords is becoming really huge and I need a way to remember them with easy.
The obvious solution is using the same password for every site, but this is really insecure, if some site does not protects well my password (store it in clear text), a malicious user can grab username and password and can try to use it for other sites. Choosing only one password is not secure. At the other end of the spectrum is generate some random password, different for any site, this is really more secure, but almost impossible to remember, so you have to write down them somewere…actually making this technique not so secure.
I use a mix of the two, I use really strong password for my bank account, change it frequently, and write down in a paper stored in my house, and I do not write down real password, but use simple trick, like a Caesar cipher. Then I use quite the same password for important sites with really little variation, so I can remember them very well. Imagine to use a password like fg_e3@fa_@ and then for each site I append an integer that you can obtain with some sort of simple calculation of site or organization name ;). Finally I use the same stupid password for each site that I do not care about.
This morning was the third time I forget password for delicious, since it’s password policy does not permit me to use my simple and stupid password because it is only made by number and alphanumerical symbols. this really annoyed me, because my password is something like 123@_@321 and even if it is stupid, it is quite secure for the purpose to protect my bookmark, and I really does not care if anyone steal it, because it is used only for site I do not really care about. Since I had to choose a different password. I really prefer the site to warn me: “Hey, your password is not so secure”, but this should not block me.
Password policy is not the solution, if you force your employees to change password once a month and set up a policy that requires 12 charachter with no less than 3 symbols, you’ll end with a post-it on each monitor with the password in clear text.
alk.