Password policy

Just come across this and it brings back memories of times back in the late 80s when I was trying to define a password policy that was both easy to use and secure. We thought we had it but we failed miserably as most people used the same passwords for all their systems and where they couldn’t they wrote them down. No matter what we tried the users bypassed the systems, ignored policies and circumvented our security because they were too lazy, too dumb or didn’t care.

Now here we are over 20 years later and we still have the same problems. Now of course it is much easier for us to force our users to be more secure as we can ensure they use two factor authentication. Something they know, a passphrase, and something they have, a key or a biometric or a number generator. The passphrase is useless without the other.

For the rest of the world though it is still an issue. However, if you are interested you can use tools like this to check your password strength.

Ensure that you make up a good password, not a word you would use and then scramble it slightly with numbers. For example when looking for a password I usually use items in the office like a recycling bin. So ‘recycling’ then mix it up with the current time and capitalise some of it so you get ‘Rec13Ycli4ng2′. Of course sods law dictates that some systems will reject it then you need a different one for them. That is when it starts to go wrong and you start writing them down.

What we really need is a good system that gets rid of all these pesky digits. A while ago we looked at one that used faces. It displayed a page of random faces in random positions where some of your chosen faces were included on each page. You picked nine or so faces. Every time you logged on you were presented with a dozen pictures of which one of your chosen faces was on each page and 11 random pics. You clicked your pic and a second page was presented where you chose your pic and then a third was presented. You got all three you were in and if you didn’t you were locked out. People remembered the faces a lot better than they remembered passwords. I was expecting that to be in use by now but it doesn’t seem to be. The two factor authentication seemsto be in more use. Pity, I kept on losing my token in my bag.

Soon though we won’t need passwords, tokens or anything. It will all be biometric and then it’s all fun and games until someone loses an eye. (Sorry, couldn’t resist)