Simulated security

I definitely know from this:

Starting today we were required to update one of our passwords to a 12 character monstrosity that includes at least one of each of the following:

1. Capital letter
2. Number
3. Symbol (ie, @#$&!)

And the reuse of previously used passwords is restricted to waiting until the 21st round of passwords. Oh, and we’ll now be required to change our passwords in 60 days instead of 90 days.

I believe “@#$&!” is what I say when the “Your password will expire in 14 days” message comes up after a mere 30 days. We’re allowed to slide by on a mere eight characters, but we must include at least one from each of the Three Basic Mistyping Groups.

Now I realize that there are people out there with passwords like “password” or “susan,” but still:

What makes them think that they’re actually increasing security by making it so much harder to remember all of the passwords? Because at some point a cheat sheet is required just to avoid calling the help desk several times daily to get your passwords unlocked because you entered them incorrectly too many times.

Besides, one of my favorite sources for passwords — the vast universe of foreign-language cuss words — seldom yields up anything with numbers in it.


  1. Ed Flinn »

    8 December 2008 · 10:46 am

    the vast universe of foreign-language cuss words

    L337speak is, even if it never was before, your friend.

  2. CGHill »

    8 December 2008 · 11:27 am

    No 5#i7.

  3. Charles Pergiel »

    8 December 2008 · 2:37 pm

    1) I was going to make a suggestion, but Ed has already covered it.

    2) Or you could start a movement to overwhelm the help desk with calls about passwords. Bring the whole company to it’s knees.

    3) Bitch, quietly and politely, to everyone everyday. Persistance pays.

    4) Find someone in IT to modify the password script to let you on with letmeon or some similar nonsense.

  4. CGHill »

    8 December 2008 · 2:44 pm

    Actually, it’s not our local sysadmin giving us this grief: it’s the place that does our credit-card processing. And they are intractable and adamantine. Until we’re set up to bring these functions in-house, though, we’re stuck with them.

  5. fillyjonk »

    9 December 2008 · 5:35 am

    Though I suspect you’d rather deal with changing the password umpty times than with a “breach of security.” Not good for the health of the company and for the future of customers with it to have to call them and tell them, “Yeah, someone may have stolen your credit card number.”

    I had it happen to me – had mine stolen, went through the rigamarole of getting charges removed and getting a new card (and some dude in California got a sweet set of amps using my number). Some months later, a large online used-book dealer (who shall remain nameless) e-mailed their customers (including me) and said, “Um, yeah. Even though we had layers of security, we think someone may have got in and stolen some credit card numbers.”

    You THINK!?!?! I never did business with them again.

  6. Flack »

    9 December 2008 · 1:52 pm

    Two suggestions:

    One, some up with a “code phrase” that only you remember. For a very simple example, let’s use a suffix of “123”. With that, you can now write down all your passwords — just be sure to append your fake suffix when you write them down. If you write down “Login: susan123” then you will know that your password is really just “susan”. Obviously this rule can be as complex as you are willing to remember. For example, I would always insert a fake letter into position number 1 and add a fake number at the end. If I wrote down “abcde#12345” my password was really “bcde#1234”. A system like this allows you to write down your passwords without worry that anyone who found the paper would be able to use them.

    Two, download one of the freely available password tracking programs. I use KeePass, which is free and can run as a stand alone exe (which means you can run it from a USB drive). It stores your passwords in an encrypted database. It runs in the task bar and has a ton of configuration choices. Of course if you forget the password to view your passwords you’re in trouble but … eh, see rule number one above.

  7. Tatyana »

    9 December 2008 · 4:29 pm

    Post and comments to memorize.

RSS feed for comments on this post