Password policies generally suck

Tags:

The other day I was talking with someone about passwords. They had a policy that you are not allowed to use your old passwords again, and that got me thinking: Is this actually improving or reducing password safety?

Especially bringing this topic to spotlight today is a recent password leak from a popular finnish online game, Älypää. Their site was hacked and over 120 000 passwords were acquired, many of them very, very weak.

I talked with a few others about this, and many said that they simply used a number after their password – MySecurePassword1, MySecurePassword2 and so on. Coming up and learning to remember a completely new password just was not worth the trouble of doing it every month or so.

Does this make the password policy better than one which allows you to choose your password more freely?

No.

I don’t think this is a good thing at all.

The main purprose of having a policy that requires you to think of a new password is to reduce the likelihood of someone getting your password and it still being valid. However, what if your password ends in a number such as 5?

If the hacker/cracker/whatever is smart, they might just try incrementing the number by one when it fails… and bam, they are in. Essentially, this kind of policy could work against itself!

So what’s a good password policy?

I want to ask you this, dear reader. What do you think is a good password policy, since the ones we see used clearly don’t work as well as people putting them in place think.