How to make sure corporate users choose bad passwords

Here’s a sure-fire way to make sure users choose bad passwords:

  • Force passwords to have a minimum length.
  • Come up with some arbitrary rules regarding “complexity” of the password. E.g. that it contains at least one upper-case character and one digit.
  • Keep a history of passwords. Make it huge, say at least 20.
  • Force users to change passwords every 3 months.
  • Prevent users from changing passwords for a number of days after a change. 5 days is good, it translates to a full week in most cases, plenty of time for the user to forget the password.
  • Make sure that you hire only lazy people for the corporate helpdesk. “Lazy” in this case means that they invariably choose passwords like Acme123i when your users call in saying that they’ve forgotten the password they chose yesterday.
  • Layer this on top of a centralised user database like ActiveDirectory to make it really difficult for your lazy helpdesk personnel to temporarily change the no-change-in-5-days rule for a specific user.
  1. Change Acme to whatever company you work for.[back]
Share

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>