This morning, I got yet another message from my work login system: "Your password will be expiring in 7 days. Customers are required to change their passwords at least once every 180 days."Hmm. Already? It seems like it's only been 180 days since... oh right. But there's more! The new password requirements must meet three of the following four criteria:
1. Must contain english uppercase letter
2. Must contain english lowercase letter
3. Must contain a Westernized Arabic numeral (0-9, etc.)
4. Must contain a special character (e.g. punctuation mark)
It also can't be any of the last 5 passwords I've selected before. Really? A password that I used 2 years ago isn't secure now? I wrote a letter to the administrators:
I'll get right to the point: longer and more onerous passwords are not more secure if I have to write them down or store them somewhere. Over the last 8 years or so, the password policies have become progressively anti-user to ever-increasing levels of absurdity. More characters, upper and lowercase letters, non-dictionary words, even MORE characters, and now I have to punctuate? It's not an essay, it's a password. I understand that faster processors and increased computing power make it theoretically easier for a machine to break my code, but many professors on campus that I know keep an unlocked, unhidden rolodex full of passwords because of requirements like this. I know that you're trying to protect us from hackers, and I appreciate that. But consider that our brains do not follow Moore's law to keep in step with increased processing power, and at some point you will need to rethink your strategy.
Sure I can store the passwords in some kind of utility program designed for that purpose. But then don't I need another password for that system? And aren't I at the mercy of whatever encryption scheme that system uses? And isn't that a far more desirable target for hackers and identity thieves? What worries me is that, at some future point, my university might consider doing what banks have done, which is to implement stupid security questions to verify my identity. You know what I'm talking about: "What was your first pet's name? What's the name of your high school?" It's the kind of stuff that appears on the average Facebook account, and can be gleaned more easily than a moderately well-crafted password.
My question to you today is this: What is a secure alternative to passwords of ever-increasing complexity (and ever-declining usability)?
