Password stupidity is no longer viable

[Of course, it’s not stupidity. It’s fear and superstition, which often go together. First, the rant.]

It’s 2023. Major corporations should not be posting rules like this:

This is not just security theatre. It’s a waste of time, the math makes no sense and it leads people to create worse passwords, not better ones.

If the person who maintains your office sprayed water on the front walk just before the temperature dropped to freezing, you’d never stand for that. If the folks who filed your taxes simply made up numbers that felt like they made sense, you’d switch accountants.

If a company can’t get this simple system right, how can we trust them to make a refrigerator?

There is plenty of insightful, effective thinking about online security. Your organization embarrasses itself when it hassles customers to engage in silliness like this. Stupidity is easier to spot and fix than ever before.

PS if this is broken but looks fine to the boss, what else in your organization is similarly grounded in superstition or the status quo?

[The challenge with tech is that the person doing the work often has a boss who doesn’t understand the work and isn’t willing to put in the time to do so.

Twenty years ago, I ranted about the forms that have a pull-down for US citizens challenging them to choose which of fifty states they live in, and country pull-downs that begin with Andorra and put two of the biggest ecommerce countries in the world at the end of a list of more than a hundred. There’s no good technical reason for this. It’s simply the way someone created a template at the end of the last century, and it’s easier to simply go along.

Now that AI is about to rewrite just about every rule of our culture, perhaps it’s a good time for the boss to commit to understanding it.]