Insane password policies
A service that I very rarely use just approached me with their new "security rules":
Guys, not like this.
- Rolling passwords on a very short basis just makes them insecure.
- I don't use your site on a monthly basis anyway, so that means that every single log-in I have the extra burden of inventing a new password that I will never use but which still must be work within your arbitrary rules
- Ever heard of two-factor authentication? You know, like if you're really serious about protecting people's ideas? (Of course, this is not without its problems.)
- You need me more than I need you. So making the process harder is not actually in your best interest, and telling me that you "require" that I comply with your rules is even less in your best interests.
So basically I'm just shaking my head and putting this thing in my mental "nice idea, but too much trouble" -bucket.
(Yeah, I am aware of 1password and all these tools, but a) they're basically a security single-point-of-failure, and I dislike single points of failure, and 2) I use multiple devices all the time, and the thought of all of my passwords syncing to a single cloud service makes me queasy - and not having the sync makes them kinda pointless.)
Back to weblog
|"Main_blogentry_120914_1" last changed on 12-Sep-2014 10:01:28 EEST by JanneJalkanen.|