Here’s a sure-fire way to make sure users choose bad passwords:
- Force passwords to have a minimum length.
- Come up with some arbitrary rules regarding “complexity” of the password. E.g. that it contains at least one upper-case character and one digit.
- Keep a history of passwords. Make it huge, say at least 20.
- Force users to change passwords every 3 months.
- Prevent users from changing passwords for a number of days after a change. 5 days is good, it translates to a full week in most cases, plenty of time for the user to forget the password.
- Make sure that you hire only lazy people for the corporate helpdesk. “Lazy” in this case means that they invariably choose passwords like Acme123i when your users call in saying that they’ve forgotten the password they chose yesterday.
- Layer this on top of a centralised user database like ActiveDirectory to make it really difficult for your lazy helpdesk personnel to temporarily change the no-change-in-5-days rule for a specific user.
- Change Acme to whatever company you work for.[back]