Joel was saying something about the abstraction that goes on in a company that most people don’t see.
Recently we had some decisions made at the company I work for that show some people here have no idea how to make things easier for developers. One of the things that cost a few minutes on every login (and I do it quite often since I lock the computer often) is changing the password on a certain time interval. This never works and I have no idea why administrators really insist on this. Either they have no idea what people are doing about it or they’re just ignoring it.
Let’s see how it works. You get an alert that tells you that you’ll need to change your password in the next week or so. You decide to do it now. First thing most people try is to add a number. If this works we have a number added to the old password that doesn’t make it any more secure. If the system does not allow similar passwords we have a few other scenarios.
- The first option is to change the password many times so that the system forgets what you’re actually changing and then go back to the old password. Not secure.
- Another one is to use things you see from your workplace as a password (for example monitor model name, poster in the back,..). This is not secure either but might work if the cracker doesn’t know where you work.
- The next option is that you try to think of a new strong password. You’re going to forget it or you’ll have to write it down. At best you’ll write it down on your phone or PDA. Not that secure either.
There are of course other options – you might actually be able to remember the new password. Congratulations, you’re a rare kind.
Whatever the argument for this I still can’t remember the password and I’m losing time, concentration and nerves everytime I enter my previous password instead of the new one.
If keeping your old password is in your opinion secure enough, why would first option that games a system in allowing you to do just that, be unsecure?
Otherwise, my phone has an application that lets me store all my passwords behind a wall of encryption and a master password. I’m sure I could write one myself, if need be.
Point being that administrators say that it’s more secure to change the password. I think it isn’t. It’s better to have one password and since you know you’re not gonna change it you treat it better.