SEARCH
diglloydTools™
Worst Security Practices: Forced Password Changes
re: How Corporate Security Sloppiness Threatens Your Online Life and How You Can Reduce Your Risk
re: Computer Security: 7 Rules to Keep Hackers at Bay
The industry of professionals dealing with all sorts of things like health care, employee portals, taxes, etc is a clown show of incompetent minds who follow so many “worst practices” that it boggles the mind.
My identity information including SSN has been compromised twice in the past 5 months by these clowns. The problem is on the corporate end; never in my life has a password I chose ever been compromised by me. It’s always caused by professional idiots due to Worst Practices in security. It stems from there being nil risk to the management—why bother spending money to fix something that won’t affect the next stock grant?
Meanwhile, we are bombarded with FCC-mandated “Cookies” garbage dialogs that do nothing to increase online security. Billions of useless clicks. That’s all your government can do for you—harrass you on every web site.
The security theater at ADP
Just today, the clowns at ADP and their annual enrollment system required me to change my long and complex and superb password. Every year.
Naturally, I did the only practical thing, something I bet that most everyone would do: I changed a single character. What else? I don’t have the time or patience to think up some new complex password, and do it every year for a dozen sites designed by another group of corporate morons.
I may have to switch to a system of long gibberish passwords that I could never memorize or type correctly, relying on a password manager for everything, and thus risking everything. The law of unintended consequences comes to bear.
Forced reset. 8 characters and that’s it?
Why it stinks
If a password has been compromised, the game is over.
But if it has not been compromised, a password has not aged like stale milk; it is just as good as it always was and arguably better, having never been compromised. This is a stupid game, as stupid as it gets. The game is about their own incompetence, and in following stupid rules, not about your security—security theater.
The net result of forced password changes is to reduce password quality. This stems directly from basic human psychology:
- Having taken the time to create and memorize a good password, you must now do it all over again. You won’t try as hard the next time because you know your effort is wasted.
- You will write it down because beimng forced to think up and memorize passwords is hard enough, but being forced to redo it every year for many sites is a nightmare.
- You are much more likely to re-use the same PW many different places because of the hassle.
The whole thing stinks. The only possible rationale I can see for requiring a password change is the incompetence of the web site with its own security. But think about that—changing your password won’t change their shitty security one bit.
Anon writes:
Oy veh,
You got off easy with only one mandatory password change per website per year. The electronic medical records software at my office is a total POS. Passwords have to be changed every quarter. Only there are I think two other passwords I have to enter to wade through all the levels of servers, etc. just to get to the EMR application. And of course, those have to be updated every three months also. I tried a password manager for these once, but I have multiple workstations, one in each exam room at work, and they won’t let me install a password manager on them, so what’s the option? The simplest password I can remember and also get away with. I just rotate them once a quarter by incrementing the trailing digit by 1. The system says I cannot reuse passwords, but it only looks back to the last three, so I’m safe. Bad security, but frankly, I don’t give a füç%. Corporate has already been hacked for ransomeware and had no effective backups, so if they don’t give a shit, why should I?
MPG: more persuasive than my points above, methinks.
