simont: A picture of me in 2016 (Default)
simont ([personal profile] simont) wrote2012-01-03 09:38 am

Forgot my password!

I got into the office today after a relaxing holiday of three weeks (plus yesterday) and found, embarrassingly, that I couldn't remember my work password any more. I could remember a password, but I was pretty sure it was the one from before my most recent change, and it certainly didn't work when I tried it.

I can't believe that. First password I've forgotten in over a decade, surely. I had to go and queue outside the IT helpdesk room like a gormless student.

I had a brief moment of hope when I got back to my desk and found the new password didn't work either. ‘Aha!’ I thought, ‘perhaps the password I'd remembered was right after all, and it's just my desktop computer that's confused.’ But no; after some more faffing, it turned out that password changes are just propagating slowly this morning and I had forgotten my original password after all.

It's at moments like this I feel that companies ought to have a mechanism whereby you can turn round and go home and back to bed, on the basis that you're likely to do more harm than good if you continue trying to do work.

[identity profile] cartesiandaemon.livejournal.com 2012-01-03 10:20 am (UTC)(link)
:) Oh dear. I don't think I've forgotten a password I use regularly (I obviously forget all the time passwords I knew I'd never remember), but it's only a matter of time.

In fact, if I'm forced to use a regularly changing password, I usually use a root and a stem, where there's some pattern to the stem but still a lot of flexibility, enough that it should be about as good as a password unless someone narrows the search space manually. I'm not sure if that's a good idea: the downside is that if someone cracks a previous password list AND wants to crack my password specifically and looks at it manually, guesses what's the stem AND spends a bit of time brute forcing the new stem, it's less secure, but has the advantage that I don't forget it.

I'm inclined to think that's a good trade-off -- I don't think that's really the weakest point in most systems I see. But I know some people think everyone should be able to memorise a new ten digit non-alphanumeric password every three months for the rest of their life for every system they use, so I'm not sure. (I wonder if there could be a claim under the age or disability discrimination legislation: if someone has a medical condition that makes memorising new passwords harder, or simple old age, and they can get experts to testify that something else is better than refreshing passwords like that, could they refuse to do it?)