• Relying on users to wipe out wimpy passwords??

    01 Feb 2010

    I just came across a Dark Reading piece by Adrian Lane on wiping out wimpy passwords. Adrian says that user training is needed so people know how to create strong passwords. I’m not picking on you Adrian however this has become a downright ridiculous approach, one that’s been proven time and again not to work.

    My take is if you have to set your users up for success and, therefore, have to MAKE them create strong passphrases. It’s as simple as enabling minimum password complexity policies in the OS and building in strong passphrase requirements within Web applications so that they don’t have the option to take the path of least resistance.

    Just like anti-lock brake systems in automobiles, circuit breakers in home electrical panels, and seat belt requirements on airplanes, we have to build in security controls that set our users up for success. Period. Unless and until we do, we’re going to continue having the same old ridiculous password issues we’ve always had.