October 28, 2009, 12:11 PM — After pointing out that running multiple anti-virus or firewall programs on the same PC is a really bad security idea, some of my readers reminded me that that's not the only common, but stupid, idea people have about security. Another far too popular, and dumb, idea is that making users use long, complicated passwords that change frequently is good for security. No, it's not.
As Jonathan Yarmis, a research fellow at the research company Ovum, pointed out to me, "My favorite is onerous password requirements. 17 letters, characters and numbers. Changed every 30 days. No repeats nor anything similar. GUARANTEES that the person has to write it down within 5 feet of their computer."
Yep, he's got that right. If you make your password policy a major pain-in-the-rump you'd just make it a sure thing that no one will use their passwords safely. Yarmis isn't make his example up. I knew one company where the passwords had to be 20-characters long and changed every month. Of course, no one at that business took their password policy seriously and, sure enough, they had their servers raided within a year.
If you make basic security hard to do, you only make certain that it won't be used. It's really that simple.
Of course, writing down your passwords may not be that awful an idea. As no less a figure than security guru Bruce Schneier wrote, "Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."
Notice though that he said to keep in your wallet, or some other reasonably secure location. I mean, you may not notice if a piece of paper on your desk disappears, but you'll certainly know if your wallet goes missing.
But what about if you have to deal with dozens of passwords for multiple Web sites? You could put those passwords on paper, but with as many passwords as we're stuck with using these days that can quickly become a pain in its own right.
At the same time, the last thing you want to do is to make those classic mistakes of using your name, wife's name, etc. as a password. That's just asking for someone to get into your accounts.
What I use these days for managing my mess of passwords are password managers. Some operating systems, like Mac OS X and Linux, have programs such as KeyChain to help you keep track of your passwords while maintaining their security.