Insane password policies
A service that I very rarely use just approached me with their new "security rules":
We are pleased to inform you that we have improved the security of XXX website. Because your idea matters, we want to keep them secure and confidential. As per the new policies you will be required to change your passwords on monthly basis. Also the passwords have to be at least 8 characters in length, having at least one letter, one number, and one special character (such as !#$&?.()@^” etc.)
Guys, not like this.
- Rolling passwords on a very short basis just makes them insecure.
- I don't use your site on a monthly basis anyway, so that means that every single log-in I have the extra burden of inventing a new password that I will never use but which still must be work within your arbitrary rules
- Ever heard of two-factor authentication? You know, like if you're really serious about protecting people's ideas? (Of course, this is not without its problems.)
- You need me more than I need you. So making the process harder is not actually in your best interest, and telling me that you "require" that I comply with your rules is even less in your best interests.
So basically I'm just shaking my head and putting this thing in my mental "nice idea, but too much trouble" -bucket.
(Yeah, I am aware of 1password and all these tools, but a) they're basically a security single-point-of-failure, and I dislike single points of failure, and 2) I use multiple devices all the time, and the thought of all of my passwords syncing to a single cloud service makes me queasy - and not having the sync makes them kinda pointless.)
More info...
Comments?
Back to weblog
|
"Main_blogentry_120914_1" last changed on 12-Sep-2014 10:01:28 EEST by JanneJalkanen. |
Comments
Stupid policy indeed. Regarding password safes I share your concern for cloud based services. Ivm using B-Folders because it syncs locally p2p on your home network, without a central server.--AnonymousCoward, 12-Sep-2014