Bloody passwords

By the end of this week, I have to change my work computer password - for the fourth time this year. And of course I can't choose any old password: amongst other requirements, it has to be between 12 and 16 digits long, contain both letters and numbers, and it can't be the same as any of the last 9 passwords I used.

It's not just my employer that's giving me trouble. I have to remember passwords and pins for dozens of different services and websites, all of which tend to have different sets of rules regarding length, characters that are acceptable, etc. Even though I have four 'generic' passwords, each compliant with a frequently used set of different 'password strength' rules, there are a number of services that stipulate yet more exotic requirements. And even with all the different passwords memorised, I still have to remember which one applies to each particular account.

In the end, password selection rules converge to this:

The password must be impossible to remember and never written down.

Here are a few economic insights, and some advice - even though I doubt many IT types are reading this blog:

1. In cases where I am the only one at risk from my own bad password habits, let it be. I can probably understand the rationale behind asking for a 'strong' password when the implications of any security breach will affect other users, but why on earth do you care if someone cracks the password to my personal email account?

2. Stipulating exact rules is suboptimal - it limits the character combinations an intruder would have to try out, and it rules out a number of passwords the user may be able to easily remember. Just ask for passwords that meet a minimum 'strength' standard (e.g. use an algorithm that gives 1 point for each character used, 10 point for using both letters and numbers, 10 points for using caps, etc, and don't allow passwords that score less than 15 points)

3. There are stuff other than remembering passwords I would like to expend my limited brainpower on. As a result, if you push me too hard, I'll cheat: for example, I may write the password down, or choose the easiest password compatible with the rules. There is a point beyond which 'password strength' requirements lead to less security, not more.

4. If you are the boss: Your IT security guys have incentives that are incompatible with those of your employees and your organisation. They don't give a toss about productivity; all they care about is that there are no security breaches, and that when these do occur they can be blamed on a poor soul that 'didn't take security seriously' and wrote her password down. Try to find ways to align their incentives to yours, and for heaven's sake don't give them a free reign over IT security policy - they are the experts, but they don't have your best interests in mind.

This still leaves me with the problem of picking a new password. I was thinking of 'Rumpelstiltskin', but it turns out the miller's daughter was stupid: my computer says it's 'too easy'.

by datacharmer | Wednesday, July 25, 2007
  , | | Bloody passwords @bluematterblogtwitter