Wednesday, March 16, 2005


I've always been able to remember numbers pretty well (it's names and faces I have difficulty with), but I recognize that this is the reverse of the common lot. Until recently, my peculiar memory was more of a liability than a help: phone numbers don't get insulted if you have no idea what they are. Now my ability to remember nonsensical passwords spares me minutes of frustration each day and my kids' friends couldn't care less if I remember who they are as long as I produce lunch and snacks as needed.

But my soft-hearted empathetic inner child (it must be there somewhere) feels for those can't remember their passwords. And my common-sensical self connects with this observation:
[T]he logical conclusion of most strong password policies ... is that passwords should be impossible to remember and should never be written down.

Somehow, the world's ATM banking systems have managed to get by with a bare minimum of fraud for more than 20 years by relying upon only four-digit codes. So what do the banking geeks grasp about password management?

The obvious answer: the stronger and more complex the password scheme, the lazier and more technically incompetent the security system administrator.
And my jargon fascination doppelganger digs the lingo: risk homeostasis, danger compensation, risk-offsetting behavior, perverse compensation. Might I suggest a new term? Lazyasses.


Not to disagree with your apparent disdain of strong passwords, but the ATM also requires physical possession of the bank card. That adds considerably to the security of the situation. I also use a 4 digit PIN to login to my corporate accounts form home but that is supplemented by an RSA SecureID token.

I believe Bruce Schneier (Cryptogram) talks about three concepts in security: something I am (fingerprints, retinal scans, etc.), something I know (password), something I have (ATM card, SecureID token). Using more than one of these increments the security level of the system. A normal login only uses one - the password. An ATM transaction uses two - the card and the PIN.

By Anonymous Thomas Pfau, at 10:26 AM  

As long as I can keep my disdain I'll bow to your superior knowledge.

By Blogger ELOISE, at 9:22 AM  

Post a Comment