Saturday, February 11, 2017

Security Before All Else

I have this bug up my @$$:  every time I log on to one of my favorite sites — the ones that require a password anyway — I'm being prompted to change my password to something more secure.  I'm not sure why the security of my password should be anyone's concern but mine.  After all, if I feel secure enough with a password of '42', why should anyone else care?  If my password gets hacked, who's going to get hurt, me or the site that I had an insecure password for?  Answer:  me.

Yet site after site seems intent on forcing me to select a password that can only be remembered if written down.  How secure is that?  Any normal person will have a single location, maybe a note on their smartphone, where they keep a record of all their passwords.  Lose your iPhone and — guess what? — every last one of your passwords is now exposed.

The only thing I can think of is that the webmasters for these sites are PFCSKs* fresh out of community college where they learned to verify a string has at least one upper case character, at least one lower case character, at least one numeral, and at least one symbol.  They're thrilled over their new-found skills and just dying to test them out.  Thus:  "We're sorry," (not!)  "Your current password does not meet our password guidelines." (Oh, really?  How did they know?  Answer: they read your password and analyzed it.  Oh, that's secure...)  "Please change your password now to one which has an equal number of upper-case characters and special symbols plus half as many numerals as lower case characters.  Your password must be at least 17 characters long.  Thank you for helping us make your data secure." (It's my shopping list!  How much damage will it do if my neighbor finds out what I buy at the supermarket??)

Because everyone must now have a secret list where they can discover what arcane password they used for every website with a sudden interest in their (sometimes paying) customers' data security, we're seeing the truth in that old IT adage:  the quest for complete security sometimes leads to 'none at all'.



(*) Pimply-faced computer-science kids.

No comments:

Post a Comment