As a technology obsessed society we're drowning in a sea of passwords. Remember when your locker combo was all you had to memorize? Now I have over 100 different passwords. It’s ridiculous.
The problem is no one can possibly remember that many passwords. So what do we do as lazy tech connoisseurs? We simply use the same password over and over again. Problem solved! In fact, research performed at Carnegie Mellon University in 2014 suggests that 80% of people reuse their passwords.
No wonder cyber security breaches are so rampant. We are lazy to the point of negligence. Need more evidence? “123456” was the most popular password in 2015.
In order to save us from ourselves, organizations are encouraged to establish password policies that force us to formulate stronger passwords. In general, password policies bolster cyber security and are necessary for a strong internal control environment. Their existence is perfectly understandable; but, that doesn’t make password policies any less annoying.
Here’s are the top password policies we love to hate:
Typically, two-factor authentication requires a password and something else like a security token or a key fob. There is no argument about the benefits of two-factor authentication, especially for sensitive data. (PII anyone?) But more factors only lead to more hassle for the user.
Tell me I am not the only one who has shown up at work after sitting in traffic for an hour to realize that I left that pesky key fob at home. I love wasting billable time to call the IT hotline for a temporary code. It’s the best.
Automatic change of password time frame
Requiring users to change their password after a certain period of time is one of the most infuriating policies on earth. For instance, you finally memorized your perfect password. It has more password entropy than you know what to do with and 3…2…1…
“Your password has expired. Create a new password.”
Noooo! It is enough to make a person cry.
Closely related to the automatic change policy is the dreaded password history.
After getting prompted to change your passwords you think, “No big deal, I will just re-submit my old password,” and out of nowhere it is denied. The new password cannot be the same as any of the last five. Foiled again!
Rather than letting the computer have the last laugh, you tweak your password and move on. The next time you login, good luck remembering the minor change. It’s inevitable you will lock yourself out of your account while your muscle memory gets the hang of it. There goes more billable time spent unlocking your account. There is a charge code for that, right?
Until we figure out another acceptable means for authentication (e.g. biometrics become more mainstream) passwords are will continue to be both relevant and a pain in the neck. I will leave you with a few techniques to keep track of your passwords without going insane.
Did I miss any policies that you enjoy loathing? Post them in the comments.