I seem to be spending an inordinate amount of time these days resetting my password. I used to have a handful of passwords which I rotated between types of sites--one for email, one for financial, etc. But the number of sites that I use has grown, and so has the complexity that many of them demand. This eventually triggered a sort of a vicious cycle--as I got more passwords, it became harder to remember which one I'd used where, and the number of passwords I'd employed greatly exceeded the three-attempt limit after which many systems lock you out. That meant I needed to get my passwords reset, often by sites that do not allow you to recycle, so now I had even more passwords . . .









What's left, other than an easily-hackable master list?





What ought to be left is that network administrators get more reasonable about their security requirements. Instead, they're going in the other direction--longer passwords, more forced changes, more unique characters that make the passwords harder to remember. The New York Times discusses the ridiculous excesses of password security that are now prevalent in many places:





After investigating password requirements in a variety of settings, Mr. Herley is critical not of users but of system administrators who aren't paying enough attention to the inconvenience of making people comply with arcane rules. "It is not users who need to be better educated on the risks of various attacks, but the security community," he said at a meeting of security professionals, the New Security Paradigms Workshop, at Queen's College in Oxford, England. "Security advice simply offers a bad cost-benefit tradeoff to users." One might guess that heavily trafficked Web sites -- especially those that provide access to users' financial information -- would have requirements for strong passwords. But it turns out that password policies of many such sites are among the most relaxed. These sites don't publicly discuss security breaches, but Mr. Herley said it "isn't plausible" that these sites would use such policies if their users weren't adequately protected from attacks by those who do not know the password. Mr. Herley, working with Dinei Florêncio, also at Microsoft Research, looked at the password policies of 75 Web sites. At the Symposium on Usable Privacy and Security, held in July in Redmond, Wash., they reported that the sites that allowed relatively weak passwords were busy commercial destinations, including PayPal, Amazon.com and Fidelity Investments. The sites that insisted on very complex passwords were mostly government and university sites. What accounts for the difference? They suggest that "when the voices that advocate for usability are absent or weak, security measures become needlessly restrictive."

Speaking as a former network administrator, I think the breed substantially underestimates the inconvenience to which they are putting their users. That's because network administrators have to log in to the network many times a day on different machines, which keeps their absurdly long gibberish password fresh in their minds. Once that changes, the challenges of remembering a fifteen-digit string of letters, numbers and special characters rapidly mount.