/ BLOG / Importance of a good pass phrase policy, and a lesson in humility

This early evening I made a mistake. It was a user mistake. I’m ashamed to admit it, but in my defence it’s been a long day and I’ve been driving and doing stuff for my older relatives, so I’m feeling a bit beat.

Basically what I did was type in a passphrase, into what I thought was a particular application, but actually I had a different one selected. This selected application was adium, and the window selected was to one of my mates. This sort of mistake can happen to anyone; not just users, but admins as well. As much as I trust the mate in question, I can’t take the risk, especially since it was over a public network.

This actively demonstrates the importance of having distinct passwords for each application and service, and just why each service should have a set of distinct rules for the complexity of a password. I follow this rule ridiculously - many of my passwords are randomly generated, whereas the one in question was not (and I’d been meaning to change it for quite some time - so this had done me a favour). Immediately it was changed and I was safe, although feeling very, very, very, very, very stupid.

So, whilst it maybe convenient to use the same account details, it’s not a very wise idea at all. This will be one story I’ll use in the future to explain why a good password policy is important to our customers and clients, at work. After all, users will love an idiot moment from one of their [mostly] infallable admins, and it’s unlikely that they’ll forget it (however, at the end of the day, we’re all human).

However, this kind of leads me on to a little rant. Why on earth, in this day and age, do some services still email your password, if you use the “I’ve forgottten it” facility? This means one of two things;

  1. They store it in plain text
  2. They store it in reversable encryption (i.e. not a hash)
I would’ve thought that people would’ve learnt by now. Apparently not.

So here I am, publically admitting that I’m a dick, but proving the point and success behind a good passphrase policy (you don’t have to be a company to have a policy). Now, if you’ll excuse me but this paranoid, obsessive, control freak is going to obsess and tripe check each account! Again. And again. And again. Argh.