The one that gets me the most are IT security people who insist on you updating your password every 30 days, and don’t allow similar passwords from previous ones. (No Password01, Password02, etc.) The throw in a required capital, lower case, number, and symbol.
You end up never being able to remember the current password, so you have to write it down somewhere, defeating the security in the first place.
would picking a word and inserting the current date work if you must change it each month? Place name or number of the current month and year in front , in the middle or after the word?
I agree. I found a way to beat that system.
I had a password that met their criteria that was easy to memorize. What I did was put the number “1” as the last letter of that password.
When it came time to change passwords, I changed that “1” to a “2”. The next time a “3” and so on and so forth.
30 day password expiration is lunacy. Why not 7, or 5 or 2-days? Makes about as much sense.
If I know I’m going to be able to use the password for a while, I will come up with a good 20-30 character phrase that is as secure as a password can be. You’d be amazed at how fast you can enter a password like that after you have typed it a hundred times.
Of course, you also run into systems that wont let you go more than 10 characters or so. Yeah, that’ts a great idea. Not.
What I’d like to see is a system where the strength of your password influences how long you can use it. You would get multipliers for having mixed case, special chars, and numbers. The passord I use for securing my password safe is good enough to use for a year or more.
Then add your work environment where you have access to different type of hardware running different types of operating systems, each with its own password rules, some of which are not compatible with the others, so you can’t just use the same password for all.
A few years back I kept a spreadsheet for the several hundred unix servers I had access on, each with a unique, system created password.
Make it too hard and you will end up with folks writing them down.
We spend a lot of our time today trying to hack around the security so we can get our jobs done. Between that and the masking for PCI compliance it is a wonder we can do anything anymore.