I’m an IT professional with a long and varied career. I guess that may stand for something when I say that passwords are like belts AND braces: they give a feeling of security and familiarity, but don’t add anything to the overall function of the system. Perhaps you have a better analogy?
I’ve just gone through the routine of password changing for my employer and this is mandated every 90 days (due to some arcane European law) with attendant rules such as “must be eight characters or more” and including upper, lower case with special characters. Now, that last piece was my undoing today.
I agree with the whole ‘complexity equals security’ thing to some degree but I have at least ten places that I regularly sign into for my work (corporate websites, email client, laptop, file sharing) and I like to keep them in sync – one day’s pain is enough without contemplating different passwords for each. So I take a couple of hours each quarter and hit the buttons, working my way through a list of sites and technologies. I do it in a particular order too – change my BYOD MDM before changing the underlying mobile email client’s so that I don’t time out my access via too many ‘sync’ events while working through the list. It feels a little like standing on one leg while whistling Dixie.
And that’s the thing. I’m very hardened to computing technology’s ability to impose stringent rules and logically do the illogical. I once lost hundreds of hours of typing on a computer program I’d written while doing my degree, all down to a single press of the wrong button. Ever since I’ve held no awe for computing’s infallibility, and today revealed another step on the downwards spiral. For today I chose a special character for my password which represents a currency symbol – pounds, dollars or whatnot. Most of the password systems accepted it but as I reached mid-point through the list one rejected it. With a sigh I substituted another character but then the next rejected that also, leaving me now with THREE different variations of password and no way back.
In case you think I should just change them all to something else – my corporate systems at one point mandate that passwords should not be changed more than once per day, so no, that’s no solution also. Until tomorrow…
We seriously need to rethink this computing paradigm.