In a wondrous attempt to increase security, more and more vendors are now requiring me to choose passwords of many characters with mixed case, numbers and punctuation. My bank does one better, where I have five different question/answer combinations they ask, then once I’ve passed their quiz, they display an image that I’m supposed to recognize as the “right” image. Plus, everyone wants me to change my password every 30 days.

This is a great example of security professionals gone brain-dead. Yeah, if my bank were the only website in the world that I used, there’s a slim chance I might be able to remember all that. But they’re not the only one. Every credit card company, insurance company, and bank account has a web login. Not to mention commerce sites, Amazon, eBay, etc.

When you put all that together, it’s very quick to see that the only way a sane human can possibly cope with five challenge/responses plus a mixed-case password that changes monthly is to write the whole thing down and keep it around.

The result? Far less security than before! Because all a thief has to do is find someone’s 50-page notebook of current passwords and voila–all security gets compromised in one easy step.

Security geeks: chill out. You’re undermining your own cause by going for theoretical purity and ignoring the way real people behave in the real world. Let me choose something that’s hard to guess, but easy to remember. Like my mother’s favorite record album in French, spelled backwards. And let me keep the password long enough to memorize it.The current high-security practices, alas, fail miserably.

When is password security not security?

read time: 1 min