Forced password-changing policies lead to two things:
- More frustrated users locked out of their accounts, leading to more painful support requirements
- A huge number of unenecrypted text files on local filesystems called “mystupidnewpassword.txt”
I study IT Security in the graduate program of UNC Charlotte. For the most part, UNCC is a great school and our IT programs are especially fantastic. UNCC generally doesn’t rank, but IT provides a rare exception, listing UNCC 10th after Carnegie Mellon, Georgia Tech, Harvard, etc.
Despite my security focus, I think this is a little over-the-top for our university accounts (“49er Express”), once combined with a forced password change policy:
Password Rules: * Minimum length: 8 characters * Maximum length: 16 characters * Required characters: o One lower case alphabetic character o One upper case alphabetic character o One numeric character o One special character from the set ! * + - / _ * Do not use your last name, first name, e-mail address, or the words "pass" or "word" as part of your password. * Password history: 8 (cannot reuse last 8 passwords) * Passwords are case sensitive. When changing your password, switching the case (lower/upper) of an alphabetic character does not constitute a change.
Really? Every n months I have to come up with a new password, that I haven’t used for the past 8 cycles, at this minimum level of complexity:
What does that mean? Well, I don’t want to be locked out of my account – besides the inconvenience, it’s embarrassing. But it’s damn easy to get such a password mixed up:
Rid!cul0us R!dicul0us Ridicu!0us Ridicu1ous!
So if you want to break into the account of this IT security major, all you have to do is wait for the week after password-change-time and grep in my /home/hunter for any text file that’s 8-16 characters long, has at least 1 capital and 1 lowercase letter, 1 number, and 1 character from the set ! * + – / _.
Why is it acceptable, ever, to have a maximum password length? If you’re going to go out of your way to force users to make their passwords more complex as a security measure, how on earth can it make sense to then restrict the password length to some arbitrary, small number of characters? If I want to use the password:
is that really going to cause problems for a competently designed system? I mean, it shouldn’t even be storing my password, so where’s the problem? Do people really think that the above password is less secure than:
I run into this all the time and it bugs the hell out of me. In fact, password requirements in general bug the hell out of me, because I have my own process for generating secure passwords than I can remember, and having to meet some asinine requirement for proportions of numbers, uppercase letters and so forth just makes me forget my password, which is a security risk.
This is getting a little ranty, so I’ll draw my remarks to a close, but one last point.
The following scenario is grounds for the immediate and creative execution of the technical team involved.
Max password length at registration is x characters. Password user “enters” is x+2 characters. Input box at registration is restricted to x characters, last two characters are silently dropped. Login box is not restricted to x characters. User enters full password multiple times, cannot work out why login won’t work.
Related Posts: On this day...
- Fraunhofer cracks iPhone password in 6 minutes, exposes stored passwords - 2011
- Ron Paul questions Hillary Clinton on supporting and propping up dictators - 2011
- OK Go - This Too Shall Pass v2 - 2010
- Apple sues HTC for alleged infringement of 20 iPhone patents - 2010
- The story behind Tux - 2009
- Mexico Drug Cartel Map - 2009
- How Viagra spam works - 2009
- Russian Man Dies After 12 Hour Viagra Fueled Orgy - 2009
- UK amusement park offers surveillance footage of you as a souvenier - 2009
- Maximum meme density - 2009