My techy/IT brother has always said that security is just denial of functionality. In his job he has to deal with people who don’t understand such advanced concepts as rebooting, and for these and many other types of users it is just as well to lock some options away where they can’t be touched.
I am not a real tech wizard, but I have been mistaken for one. IT where I work has occasionally asked me for input on a problem with Microsoft Office software. So I think I am above average on the IT scale, competent to deal with reasonable and ordinary security.
But one of my online accounts had implemented a level of security I find daunting. It requires that your password be at least eight characters long, and include letters and number and at least one special symbol. Not numbers or symbols; numbers and at least one symbol. Now it’s amazing how many of my memorable passwords and variants are six characters long, and how hard it is to come up with one that’s at least eight characters. But on top of that, once I have to get letters and numbers and symbols all in there, it’s hopeless. I cannot remember the password. In fact, I have trouble entering it in right even if I have it right in front of me.
If you get it wrong three times, your account is locked and you have to call for help. I just got off the phone. I had my password reset. I came up with a new password. It had letters and numbers and it was eight characters. It was rejected for no symbols (not that the message said so; it just said “review the guidelines and try again”). So I changed one of the numbers to its symbol equivalent. But then I forgot to type in the other number, and it was rejected.
I managed to get it right. This time. But, since when you are typing in your password you only see the little dots and you don’t know for sure what you typed, it’s pretty easy to try the wrong thing three times and lock your account. Especially if you can’t type the password correctly even when you are staring at it.
Besides being exceptionally inconvenient for me, the rightful user, I don’t think this password formula is effectively safer. I’ll let a tech expert correct me if I am wrong, but my understanding is that most online identity theft occurs by taking the user’s input, not guessing their password. Either the company’s “secure” database of user passwords is broken in to, or a fake web site or a digital bug is used to capture the legitimate password as it is input. In either case, it doesn’t matter how complex your password is; it is captured exactly as is.
There’s still some risk for personal attacks, from someone who for whatever reason has it out for you in particular. But when your password is this complex, the chances of you memorizing it are extremely low, and that means its written down somewhere, and that written version is as much of a liability as keeping a simpler password in your head.
So all this complex password protects you from is someone who cannot access your local machine, who is sitting around trying to guess your password by random permutations of various significant details of your life. It’s like being given an oral antidote for the poisonus Brazilian rain-forest frog, when you live in the Northeastern USA–and the antidote gives you a headache.
In other words: it’s stupid!
Prime example of poor security/functionality tradeoff. This level of password restriction encourages more people to form the habbit of writing down their passwords and sticking them under the monitor. Everyone knows to look for the password under the monitor, so overall corporate security is probably decreased.