It is this time again where I have to change my UGA password. Now, the rules have tightened — I can’t re-use an old password. What those who make these policies should know is that such rules make passwords less secure, not more.
How so? I have three tiers of passwords. My first tier is rough, with high entropy. They may look like a malformed perl script, except they are not. Good luck brute-forcing those. I use those to secure my primary computers. And since these are difficult to create in a reasonable way so I can memorize them, I do not change the first tier very often. Every few years, I create a new set, usually longer than the previous one. Apart from that, I do not share them, I do not store them, I do not write them down.
Passwords in the second tier are less demanding: Not as long, and usually without special symbols or maybe one to satisfy some minimum requirements. I use them for systems that I trust less (and this clearly includes UGA’s systems, whose mail servers are in Microsoft’s hands). Some of these I write down (unlike Tier-1 passwords, which are in my head only). I still think that my second tier passwords are reasonably secure.
My third tier passwords are related to those in tier-2 in difficulty. but I reuse them often, for example for websites where I don’t care if it gets cracked or stolen. I use those specifically for web sites where I am forced to fill out those inane “security” questions, such as my mother’s maiden name — “security” has to be in quotes, because a hacker won’t find it particularly hard to find the answers on the web. And this means that while demands for the regular passwords become stricter over time, the “security” questions open a backdoor that makes the passwords rather irrelevant. So, a third tier for web sites whose security is low to begin with.
What about UGA’s new rule, then? I can’t re-use a good password, so I have to use something that I can easily memorize. A practical solution presents itself with a Tier-3 password that has a two-digit counter, such as FobHasO#01 (meets requirements of length, upper- and lower case, special symbol, and digits). And every time I have to change the password, I simply count up. Next time, this would become FobHasO#02. And I have to write down where the counter stands. And I re-use those for other sites with similar requirements to limit the number of passwords that I have to manage.
Essentially, a feel-good attempt to make passwords more secure clearly leads to passwords that are less secure. So how dumb do you want to make password security?
Ah, yes. Two-factor authentication. Passwords become less secure, so let’s add another layer of inconvenience. Moreover, 2FA is often turned off when you reset the passwords and fall back onto those “security” questions. Plus — and this will get interesting — what do those rare people do who do not have a cell phone, and who do not want to have a cell phone?