Wednesday, October 12, 2011

password rant

one thing that really drives me batty is when a site that i have been visiting for a while suddenly tells me that my password is no longer acceptable because it doesn't fit the new rules defining a permissible password. who are they to tell me what my password should be?

even if we assume that the so-called "strong" passwords really are more secure (actually they are not) choosing a password should be an individual cost-benefit decision. there are easy to remember passwords that are less secure, and harder to remember passwords that are more secure. different people can come to different conclusions about how they weigh the relative importance of security vs. convenience. the people who worry more about their accounts being compromised might think it's worth it to come up with a convoluted password even if it means that they have to make a few tries before they get the right combination of characters to access their accounts. others might not be all that worried about security and would rather just use the same easily guessable password they use for everything. those people, the people who pick 1234 for their ATM pin code, assume the risk of having their account compromised in exchange for the convenience of never forgetting their password.

we all fall somewhere along the continuum in the relative value of security and convenience. but wherever we are, why can't we just be treated like grown-ups and get to decide for ourselves how risky we want to be? it's one thing for a web site to inform you that your password is laughably weak, but it's another to force everyone who doesn't meet some arbitrary security parameter to change it, especially if that means changing a password you have used for years without incident.