When I worked in the US Department of Defense, our computer systems had password requirements that were the stuff of legend. 3 lowercase letters, 3 uppercase letters, 3 numbers, 4 special characters, and they had to be at least 16 characters long. Plus they had to change every 30 days, and couldn’t be one of the last 25 passwords used. Because these were the requirements for our primary system logins, there was no chance of using a password manager.
So how did people handle this? Everyone diligently memorized the new password every thirty days, thankful that there were policies keeping everything secure, right?
Of course not!
Everybody kept their password on a sticky note stuck to their monitor where it could be viewed by anybody walking past. And the technical people who understood the risks of their password getting compromised? Well, they took a more sophisticated approach like tucking the sticky note in a desk drawer where it would take at least 30 seconds for someone else to find.
Continue reading “Terrible, horrible, no good, very bad password policies”