Why am I spending so much time talking about passwords? To begin with it’s because we can’t get rid of them, and that’s my first pet peeve. I know that static passwords (those that must be explicitly set) are easy to implement and use. That makes them convenient. For passwords on the web, I can program them into a browser or a password tool. That tool might even generate complex passwords for me, and that’s a good start.
Pet peeve number two is website registration forms that ask for personal information and include a field for a password, but don’t disclose the rules. So I enter “tbatstdgagitw” or some other random letters (five points if you can guess where I got that sequence of letters) and after pressing Submit, I get an error. The error message tells me I have to have some digits. Of course, a short password tells me I must have a longer one. Note to web form designers: the rules may be good, but it is really bad human factors design to use the error message for instructions! Pet peeve number three goes along with number two: stupid rules. This graphic sums it up. Some password rules can be very valuable, but others are ridiculous. Why should passwords be complex? There are a couple of reasons: one, it helps mitigate shoulder-surfing attacks. If you are at an internet café and typing in a password, if some bad guy is watching, a complex password may be difficult for her to get right. Second, complex passwords are harder for most password cracking tools to discover. So complexity rules may have a place, but they need to be sane.
Pet peeve number four: changing passwords. I really hate changing passwords. Some organizations and some websites make me change my password every so often. They even remember old ones so I couldn’t use “password1” one time and “password2” the next. But I found an easy way around this. If my “base password” is, say, “coffee,” I just use “August2012coffee,” then “November2012coffee” or whatever. That way I get uppercase letters, digits and everything–I never have to think again. I suppose I could enhance that idea to deal with websites so I could use “amazonAugust2012coffee” but some places actually limit the password length. Boneheads! Of course, if someone finds out that “coffee” is the base of all these, I’m toast…
I have more password pet peeves, but I want to hear yours. Put them in the comments below.
We will have static passwords with us for a long time to come, I think. Tools like KeePass are a big help when we have to use such passwords. Fortunately biometrics and tokens are becoming much more common in the enterprise and in government agencies. We discuss these alternatives and multi-factor authentication in System and Network Security: A Comprehensive Introduction.