Is anyone else as frustrated as I am with the multifarious password policies you run into across systems? It seems like everyone and his brother has "the best" idea of what a strong password should be, which translates into having to keep up with N passwords and which systems they map to.
That's bad enough, but then you have these people who think that making you change your password every N days is a good idea and that you can't use the last N passwords you've already used. To make it worse, some brilliant minds out there think that forcing us to have "strong" usernames is a good idea too, so you end up with something like N^N permutations of usernames and passwords that you have to track.
"So what?" you say. "We've got a nifty 'Forgot Password' option on our site/app/etc.."
But I have to ask, is that really ideal? Perhaps if we didn't have to keep track of N^N passwords mapped in matrices to the N! systems we use, we wouldn't forget them so often!
I'm not saying that having strong passwords is a bad idea, not at all. I'm suggesting that we all work toward agreeing on what a strong password is and come up with, dare I suggest, standards based on data sensitivity. So for instance, here are some ideas:
Anyways, the point is not necessarily that these are the best specific guidelines; I don't consider myself a security expert, but I know enough to understand that what we have going on is not likely adding to our general security because in order to keep track of all these authentication tokens, we have to write them down somewhere, store them in some vault, file, sticky pad, etc., which in the end likely makes our security less, and it certainly adds to both individual and organizational administration overhead to manage password resets, fetches, etc.
If we had standards like I'm suggesting that were well published, then every Joe that goes to write a new system would easily be able to put in place a policy that is both secure, appropriate for the data being protected, and manageable for everyone involved. If we only had maybe four passwords to remember, even if they're odd and funky (with special characters and numbers) or if they were pass phrases, we would have to write them down or forget them or manage getting them reset all the time. In other words, we'd be more secure and happier. And if we do have such standards, they need to be far more publicized and talked about when the subject comes up because I've not heard of them, and I don't think I live in the proverbial cave.
Disclaimer The opinions expressed herein are solely my own personal opinions, founded or unfounded, rational or not, and you can quote me on that.
Thanks to the good folks at dasBlog!
Copyright © 2019 J. Ambrose Little