Password Requirements: Keeping Your Data Safe by Keeping Your Data Inaccessible
I realize I’m not going to say anything here that xkcd hasn’t already said:
But is it just me, or are we making it even harder on ourselves as we go on?
It’s been a while since I actually had to deal with regularly-changing passwords for the same account (the bane of every office staff, to hear people with real jobs tell it, but I wouldn’t know about that).
I do, however, have to maintain an ever-expanding collection of website accounts as I write for more and more people. A few of them set their own passwords, but far more prefer to generate long, random strings of gibberish alphanumeric characters that I could never, in a million years, commit to memory. And while I’m often able to reset to my own, personal password, the internal requirements have gotten so stringent that I can’t even use the “at least six characters long with some numbers and shit in there somewhere” passwords I’ve been rotating through my brain for the last decade or so.
The end result is, of course, that the passwords just get written down and stored physically, which is the exact opposite of security. Though I suppose a handwritten note somewhere in my office (re: bedroom) is relatively safe unless we’re being targeted by housebreaking data thieves, which seems a little physical for your average hacker. So maybe that was the point all along?
Now that I think about it, “force all of us to store our passwords physically” is a pretty great way to keep our data off the web. If only it didn’t have the unfortunate side-effect of making me not want to use the web, even when I’m being paid to.