Why don’t companies get the message about password changing?

I’ve seen dozens if not hundreds of articles stating the completely obvious: If you make people change their passwords every 90 days, put in place complexity rules and checks to stop them reusing passwords, and make them change the password on 4 different systems, the end result will be that people will need to write down their passwords somewhere near their computer. So why hasn’t the company I work at gotten that message yet?

It’s bad enough that I have to use the password recovery feature on 2 of those systems because it’s evidently not the one I wrote down, but the wonderful little system I use for generating passwords I can remember doesn’t work if I have to keep changing it.

8 thoughts on “Why don’t companies get the message about password changing?”

  1. Don’t forget not allowing you to use any part of the url in the password. So a rational system for generating a password can’t depend on the domain name, which makes it harder to devise a rational system.

  2. I write down the truly awful ones (our pay info system asked for a password with complex rules and then a “security reminder in case of lost password” – following the same damn complex rules as the password! I wrote both down.

    For most things which have frequency/re-use issue but not horrid complexity masks I usually pick a song and cycle through the lyrics. For systems I administer (e.g. root/other priv passwords) there is usually some in joke on my team I can cannibalize.

    I’m not convinced that writing down passwords is bad if it is done rationally. They sticky note on the monitor with helpful labels is really bad. The notepad in the locked file cabinet or the index card in the wallet with only a vague or cryptic note on which password is for which service? Not so much.

    One of my coworkers uses a password manager on his desktop, and just has to remember the password to that.

  3. Bruce Shneier says write your passwords down on little pieces of paper. The problem of keeping valuable little pieces of paper safe and available has long been solved: it’s called a “wallet”.

    But then, I don’t do that.

  4. I’m with Bill Schneier. Interestingly, the only reason we have mandated yearly password changes at work is because the federal government requires it as part of data security for grants.

  5. Yea for the password manager. Try “Keepass” from portableapps.com, on a flash drive. Have an extra one at home for backup in case you misplace the one in your pocket or on your keyring. Then write the master pw on a sticky and paste on the monitor!!!!

Comments are closed.