Password policies

Someone in an organisation decides that people’s passwords aren’t secure enough. They implement a policy so that people are forced to change their passwords on a regular basis. People find that changing passwords is a pain so they work around the policy by using a ‘system’ when they change their passwords. Rinse. Repeat.

I just had a password change forced on me at a client’s site. No biggie, but they have a complex password policy, well two, and they’re different. The Windows and Unix password policies are slightly different, both remember something like 10 previous passwords. Both insist on upper case, lower case and numbers. The unix one insists on a minimum difference of 3 characters in the first 8.

Most of the guys in the office still have systems that get around the change with the least thought required. Seeing two of their previous passwords will likely allow you to guess the new one. The ones that don’t just have a page at the front of their notebooks with a list of words…

Given that without the complex password change system some people would have good passwords and some would have bad passwords but with the complex system most people game the system or write down their passwords I’m wondering if they’d be more secure without the complex system…