Wednesday, March 16, 2005
But my soft-hearted empathetic inner child (it must be there somewhere) feels for those can't remember their passwords. And my common-sensical self connects with this observation:
[T]he logical conclusion of most strong password policies ... is that passwords should be impossible to remember and should never be written down.And my jargon fascination doppelganger digs the lingo: risk homeostasis, danger compensation, risk-offsetting behavior, perverse compensation. Might I suggest a new term? Lazyasses.
Somehow, the world's ATM banking systems have managed to get by with a bare minimum of fraud for more than 20 years by relying upon only four-digit codes. So what do the banking geeks grasp about password management?The obvious answer: the stronger and more complex the password scheme, the lazier and more technically incompetent the security system administrator.
Not to disagree with your apparent disdain of strong passwords, but the ATM also requires physical possession of the bank card. That adds considerably to the security of the situation. I also use a 4 digit PIN to login to my corporate accounts form home but that is supplemented by an RSA SecureID token.
I believe Bruce Schneier (Cryptogram) talks about three concepts in security: something I am (fingerprints, retinal scans, etc.), something I know (password), something I have (ATM card, SecureID token). Using more than one of these increments the security level of the system. A normal login only uses one - the password. An ATM transaction uses two - the card and the PIN.
As long as I can keep my disdain I'll bow to your superior knowledge.