Password Pain Persists
When I logged on to my computer at work this morning, I was greeted by one of my least favorite prompts:
Your current password will expire in 13 days.
Would you like to change it now?
As usual, I clicked the "No" button--wishing it read "Hell, no"--because I have to type in this new password on so many different computers. But I know I'll have to submit to this pointless ritual when my current password reaches the end of its allotted 90-day lifespan.
I have railed against this nonsense before as a counterproductive exercise that creates more opportunities for phishing and other social-engineering attacks (if you liked that column, please also see my colleague Marc Fisher's piece on a root cause of forced password expiration). I would submit that the last few years' worth of high-profile data breaches--most of which involved failures in security far more egregious than a password kept in service too long--have only strengthened my argument. But my employer's IT department, in addition to one of the banks I use, continues to think that making people change their passwords at an arbitrary interval makes a meaningful difference in security.
My primary avenue of protest against these policies is to keep using the same raw material for each new password. I memorize one short, non-obvious phrase--the root words don't appear in a any dictionary--and then make the minimum number of changes necessary to placate the pin-headed password gods. For instance, I'll replace an "i" with "1," then 90 days later I'll turn the "1" into an "!", which will in turn be succeeded by an "|"; eventually, I've gone full circle and I can revert to the original "i."
I don't write down the password, and the only computers I store it on are themselves protected by strong, non-obvious passwords that are themselves not written down. So the networks involved remain secure, I don't have to waste too many of my own processor cycles dreaming up new passwords, and I get to feel like I've eked out a small and meaningless victory each time I "reuse" the old password. (And so my life becomes a little more like Dilbert's each month.)
Do you have to put up with this at your workplace or home? What's your preferred response? (Bonus points to anybody who says "I write the current password on a post-it note and stick that on the monitor.")
March 3, 2008; 2:10 PM ET
Save & Share: Previous: Netscape Logs Off
Next: Today's E-Commerce Adventure: Buying Nats Home-Opener Tickets
The comments to this entry are closed.