Friday, 12-Sep-14 10:01
Insane password policies

A service that I very rarely use just approached me with their new "security rules":

We are pleased to inform you that we have improved the security of XXX website. Because your idea matters, we want to keep them secure and confidential. As per the new policies you will be required to change your passwords on monthly basis. Also the passwords have to be at least 8 characters in length, having at least one letter, one number, and one special character (such as !#$&?.()@^” etc.)

Guys, not like this.

  1. Rolling passwords on a very short basis just makes them insecure.
  2. I don't use your site on a monthly basis anyway, so that means that every single log-in I have the extra burden of inventing a new password that I will never use but which still must be work within your arbitrary rules
  3. Ever heard of two-factor authentication? You know, like if you're really serious about protecting people's ideas? (Of course, this is not without its problems.)
  4. You need me more than I need you. So making the process harder is not actually in your best interest, and telling me that you "require" that I comply with your rules is even less in your best interests.

So basically I'm just shaking my head and putting this thing in my mental "nice idea, but too much trouble" -bucket.

(Yeah, I am aware of 1password and all these tools, but a) they're basically a security single-point-of-failure, and I dislike single points of failure, and 2) I use multiple devices all the time, and the thought of all of my passwords syncing to a single cloud service makes me queasy - and not having the sync makes them kinda pointless.)


Private comments? Drop me an email. Or complain in a nearby pub - that'll help.



More info...  
"Main" last changed on 10-Aug-2015 21:44:03 EEST by JanneJalkanen.

My latest photos

www.flickr.com