I have long been skeptical of efforts to “strengthen” passwords by throwing in oddball characters — if they were serious, they’d allow us to use dîacritiçal märkß and such — but the system has problems at a more fundamental level:

I have difficulty remembering what the username and passwords are anyway. As soon as I finally hit the jackpot, I go into the accounts section and change the username to something I am going to remember. Then I go to change the password, knowing that the old password didn’t meet requirements anyway.

Well, okay. I can see that. But:

The problem is that because my old password didn’t meet requirements, they wouldn’t let me change to a new password. I get logged off, and then it won’t let me log back in because the password doesn’t meet the new requirements. Not that the password is wrong, mind you. And nevermind that it let me log into the password a half-hour before.

An awful lot of tomfoolery for something that can’t save you anyway.


  1. robohara »

    24 January 2013 · 8:35 pm

    The biggest problem is, as that article alludes to, most people’s passwords aren’t hacked by brute force anymore. It’s not worth anyone’s time to spend years brute forcing “random Joe’s” e-mail password when it’s a million times easier to get people to click on an infected PDF file in a mail attachment. My e-mail password is 20 random characters strung together; nobody’s going to break it (“ain’t nobody got time for that!”). But when anyone can click on my e-mail reset button and someone happens to guess that my first pet’s name was Spot, well, that’s a problem. (Go look up the Sara Palin e-mail hack; the answers to all of her security questions were listed on her Wikipedia entry.) If we could at least get people to not use the same password on multiple sites, that would be a start.

  2. CGHill »

    24 January 2013 · 8:44 pm

    Now you know why I still have my email client set to text-only after all these years.

  3. Tatyana »

    25 January 2013 · 7:22 am

    I want to point at something different: those idiotic questions the so called IT Security people offer. No, you can’t invent your own Q&A – you gotta choose between “what’s your first pet’s name” and “you city where your in-laws live”. What about people who never had a pet – and are single? what if the “street where you lived as a child” is in a foreign country – or, worse, if your family moved around so much, you can’t remember the town, let alone streets, you lived on?
    Take off the shackles, let us choose ourselves!

  4. CGHill »

    25 January 2013 · 7:49 am

    What she said, times rather a lot.

  5. McGehee »

    25 January 2013 · 7:53 am

    I answer inapplicable questions with made-up answers I know I’ll remember. That way someone who’s somehow managed to find out details of my non-imaginary life still won’t be able to answer the questions.

    As for characters in passwords, I þink ðere are options ðey haven’t þought of yet.

  6. Trumwill »

    25 January 2013 · 6:27 pm

    The biggest issue with passwords is when you can get back in by knowing my first pet’s name. Which is how Palin and Romney were hacked..

  7. Trumwill »

    25 January 2013 · 6:29 pm

    Which, if I wasn’t trying to read and comment and feed the baby at the same time, I would have seen has already been covered.

  8. Tatyana »

    25 January 2013 · 6:39 pm

    Trumwill: yeah, blame the innocent!

  9. Trumwill »

    25 January 2013 · 7:20 pm

    It turns out that infants complicate your life…

    Btw, loved your book on BBSing, Rob.

RSS feed for comments on this post