• Tech

    Password Inundation: Password Policies We Love to Hate

    By | February 24, 2016

    As a technology obsessed society we're drowning in a sea of passwords. Remember when your locker combo was all you had to memorize? Now I have over 100 different passwords. It’s ridiculous.

    The problem is no one can possibly remember that many passwords. So what do we do as lazy tech connoisseurs? We simply use the same password over and over again. Problem solved! In fact, research performed at Carnegie Mellon University in 2014 suggests that 80% of people reuse their passwords.

    No wonder cyber security breaches are so rampant. We are lazy to the point of negligence. Need more evidence? “123456” was the most popular password in 2015.

    In order to save us from ourselves, organizations are encouraged to establish password policies that force us to formulate stronger passwords. In general, password policies bolster cyber security and are necessary for a strong internal control environment. Their existence is perfectly understandable; but, that doesn’t make password policies any less annoying.

    Here’s are the top password policies we love to hate:

    Two-factor authentication
    Typically, two-factor authentication requires a password and something else like a security token or a key fob. There is no argument about the benefits of two-factor authentication, especially for sensitive data. (PII anyone?) But more factors only lead to more hassle for the user.

    Tell me I am not the only one who has shown up at work after sitting in traffic for an hour to realize that I left that pesky key fob at home. I love wasting billable time to call the IT hotline for a temporary code. It’s the best.

    Automatic change of password time frame
    Requiring users to change their password after a certain period of time is one of the most infuriating policies on earth. For instance, you finally memorized your perfect password. It has more password entropy than you know what to do with and 3…2…1…

    “Your password has expired. Create a new password.”

    Noooo! It is enough to make a person cry.

    Password history
    Closely related to the automatic change policy is the dreaded password history.

    After getting prompted to change your passwords you think, “No big deal, I will just re-submit my old password,” and out of nowhere it is denied. The new password cannot be the same as any of the last five. Foiled again!

    Rather than letting the computer have the last laugh, you tweak your password and move on. The next time you login, good luck remembering the minor change. It’s inevitable you will lock yourself out of your account while your muscle memory gets the hang of it. There goes more billable time spent unlocking your account. There is a charge code for that, right?

    Until we figure out another acceptable means for authentication (e.g. biometrics become more mainstream) passwords are will continue to be both relevant and a pain in the neck. I will leave you with a few techniques to keep track of your passwords without going insane.

    Did I miss any policies that you enjoy loathing? Post them in the comments.

    Related: Here Are Some of the Worst Accounting-Related Passwords Hacked From LinkedIn

    Image: Someecards

    • crazy_bout_AP

      Password security policies have made passwords so much weaker. Its easier for a computer to brute force “Randy1#”, a pretty standard forced format, and harder to brute force “Randy Wears Tight Tights” which is easier to remember.
      Worst of all, the most important password is often the simplest. Like email. Email is a house of cards, let that get hacked and its all over for you. The next step from there is to search for which financial institutions send you correspondence and then its a password reset at each of those with the confirmation going to your hacked email.
      I just replaced my lost key fob, and security just added a new fobless system the day I received it. I’ve managed to not throw it against the wall, so today I celebrate a small victory.

    • Ed Flanders
      • Clay

        Did you notice in their rules, they misspelled “chaaracter”

    • KM

      My favorite password security requirement was: at least 1 lowercase, 1 uppercase, 1 numeric, and 1 non-numeric character, 8 to 16 characters long, the password cannot contain the same character repeated more than twice, and the password cannot contain more than 3 consecutive characters of your full name.

      I wanted to throw my laptop through a window. I can’t imagine the frustration of people with longer full names.

    • Big4Veteran

      “We are lazy to the point of negligence.”

      I disagree with this above statement, and the premise of this article. It is impossible for the human brain to memorize 100 different passwords, especially when half of those passwords are required to be changed every few months and different systems have different password requirements (i.e. one system requires that you use a special character, another system doesn’t allow a special character).

      I think the problem is IT geniuses and security “experts” are making money for themselves by introducing more requirements and complexity, but they are actually making the problem worse. If people have to write down their passwords on a post it note, or use the same password for every system, or re-use their passwords, that makes systems less secure.

      I honestly wonder if a system wouldn’t be more secure if I just had one simple password that I didn’t have to change, and could therefore memorize and not have to write down anywhere. Alternatively, we’re in the fucking year 2016. Why don’t we have better ways of securing data than fucking passwords? This is what the IT geniuses should be working on.