Posts Tagged ‘password’

Massey University: out of touch with the real world

A policy on passwords like the one that Massey University has is worse than no policy at all.  Of course, when I was there, they forced students to have a four-digit number as their password, despite the fact that doing so violated their own policy, so I guess it’s expected that this will be ignored. Particularly bad parts: passwords should

Contain both upper and lower case characters [and] at least one digit and one punctuation character. 

Case sensitivity is a worthy goal, and it does increase the complexity of passwords considerably.  However, it’s also the easiest pitfall for inexperienced users, which the University is full of.  Requiring both a digit and a punctuation character is completely overboard.

Passwords must be changed from their initial default value the first time a new user logs in, and at least every six months thereafter.  

I understand why institutions require this, but I don’t agree with the reasoning.  In practice, what happens is that people rotate between passwords, or if that isn’t possible, they rotate between variants of the same password, which adds very little in security).

Passwords, or even the format of passwords, should not be shared with anyone 

Passwords, sure.  But the format!  I can’t recommend how someone might come up with a good password (as the policy itself does)?!?

The “Remember Password” feature of applications (e.g. Outlook) should not be used. 

Just plain stupid.  There are so many reasons this is stupid that it’s not even worth going into them.To be fair, Massey University undoubtably isn’t the only place (probably not even the only New Zealand university) to have a policy written by people completely out of touch with the real world, but that doesn’t make it any less embarrassing to be an alumnus.