Insecure Security

Your password must be at least 12 characters, and include capital and lowercase, numbers, and punctuation marks.  It cannot be any of your last 10 passwords.  Also, you must change it every 10 days.

And, since we all have online accounts at 25 or more websites, all with different password strength requirements, that means that most of us either...

• program our browsers to remember our passwords
• create a text document to keep all our passwords
• or, write them on a sticky note and paste them all over our desk.

Now, many sites are actively seeking to defeat password memory by waiting 1 second and blanking the login fields, just in case you programmed your browser to remember it.

Why?  Clearly this can't be in the name of security, because you're forcing everyone to make records of their passwords.  A password like grommet would be adequate for most web sites.  It just doesn't make any sense to force people to use passwords like L9We&$KjU88.  That is a GUARANTEED breach of security policy because the user is going to write it down somewhere.

Designers take heed.  Let the users determine what passwords are secure enough.  Other than banking and medical stuff, there is nothing requiring this strong a password.

...

---

Bryan Valencia is a contributing editor and founder of Visual Studio Journey.  He owns and operates Software Services, a web design and hosting company in Manteca, California.