Saturday, May 2, 2009

Password Retention Policies

It never used to bother me, but now it does.

Every time I hear about one of those laptops stolen with secrets, but "no secure password", I believe that corporate password retention policies are to blame.

I have now come to the point, where I work, that the various password systems, with their vastly different password policies, have collided to make it impossible for me to keep up anymore. I will now be one of the countless hoardes that puts my passwords on a sticky note above my notebook's keyboard.

I have 9 separate password/account combinations at work. Some of them force me to change them every 6 weeks, others force me to change them every 3 months. Some of these require punctuation characters, mixed case and numbers, some of these do not require anything but letters. I could handle this, because none of the systems (at work) deny the use of punctuation or numbers in the passwords. There is ONE account that does not handle a password longer than 8, but that one (at least) ignores anything typed longer than 8.

I have, for the last 3 years or so, used basically the same password on all of my "important" accounts, with very minor variations. Because of the policies in place, I have been in the habit of changing my password monthly, at the first, and integrating the month itself into the password. This, typically, changes three characters of the password, and allowed me to have a secure password that I had otherwise memorized. So, now the policy has changed again, to where three letters is no longer good enough. Now it has to be five.

None of this stuff is REALLY that important, is it?

Worse, I used to be Director of IT for a former employer. I know this stuff. I know there is a better way. I know why my new solution is "bad for the company". Yet, when I WAS in IT, I did everything in my power to make sure that once someone chose a decent password, that it would be the same password on all the systems, and that I wouldn't force people to change it all the time. EVEN THERE, I found passwords taped to near 30 different laptops (with a corporate population of around 100). If I could figure out that people easily give up trying to protect passwords, then why do all the major corporations have these terribly inconvenient policies in place?

2 comments:

  1. Yes, the account and password are very confused and annoyed to most of us. Hope have a consistent account, so that we can log on every system/tools by this account and we can change this passwd regularly.

    ReplyDelete
  2. If laptops were unlocked with a fingerprint swipe (like some IBMs do) - there would be a lot of room for SSO in what you're blogging about. One fingerprint swipe and all other systems, applications, etc. should accept some form of SSO. I see a growing list of example of such trend @ Tax & Accouning, Thomson Reuters.

    The importance of annoying pasword policies diminishes.

    ReplyDelete