1 comment

[ 3.3 ms ] story [ 10.1 ms ] thread
It’s nice to see these things resolved in studies but I thought the outcomes were rather predictable.

In the case of security, it isn’t enough to have a policy-maker be passionate about solving a problem. Simply having a policy (read: obstacle to getting work done) will not automatically instill passion in everybody else to solve the same problem. Instead, people will find the least-effort solution to work around the obstacle! Basic password transformations and/or writing passwords down should therefore have been anticipated by any “security expert” long before recommending frequent password changes.

Now, imagine this alternate approach:

- Educate everyone on passwords, emphasizing the length. The idea is to get users invested in the problem of security instead of just making a policy.

- Set up the system to reject any password less than 25 characters.

- Aside from length, no character restrictions. In fact, multiple spaced words (“pass phrase”) are strongly encouraged. Employees are encouraged to make their passwords memorable nonsense sentences such as “chair bleak elf combination” and so forth. Mobile interfaces are then designed to make it easy to search dictionary words (because so many people will be using them to enter very long passwords). In other words, build the system to make it easy to do what people will probably try to do anyway but make it secure.

- Passwords are not required to change as frequently as every quarter. Maybe once a year.

- Systems are set up to periodically require 2nd-factor authentication mechanisms, such as one-time text messages or E-mails.