“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” is how xkcd puts it*. That’s probably why people don’t change their passwords unless someone forces them to, which is the unsurprising finding emanating from a PayPal-sponsored …
"Slack" goes beyond the password
Hardly much bloody use getting all finger waggy over the severity of passwords when an increasing number of sites absolutely insist on punters adding a "security answer" to a ridiculously limited number of questions. While many of us on here might have mothers with unusual maiden names such as "QwY&iJqG7£wO2c", the majority will just tell it like it is, putting the security bit in the "chocolate teapot" category. At least give the clued up among us the option not to waste our time with this.
Surely the best easy method is...
...the one where you think of an easily-memorable phrase, use the first letter from each word in the phrase and then just sub in the odd number, symbol, and capital letter.
So I might wonder "Why does posting anonymously mean I get stuck with the V icon?" Easy to remember, but hard to crack the password thus derived - "Wdpam1gswtVi?"
Not a fabulous long-term solution to the password problem, but a pretty decent compromise nonetheless, no?
Corporate culture often the culprit
Some managers *insist* that the workers under their charge supply the manager with any passwords related to work; and then store them conveniently in an Excel spreadsheet. Such managers cannot understand that if the passwords of co-workers can be easily known; that there is no individual accountability amongst the workers.
If something goes wrong, then the manager has to wear the consequences.
It is beyond their comprehension that competent computing system admnistrators don't need to know the user's passwords. And it is beyond many corporate IT departments to establish mechanisms so that the need to know information can be satisfied without losing track of who did what.
There's a thick-headed "not my problem" issue with management at all levels regarding data security and the consequences of impersonation. They care not to understand. At the highest level, executives employ "security consultants" to find that there isn't a problem. That is the mission of the consultant. To find no problem. (The post-It notes stuck to the edge of the monitor disappear under the keyboard or mouse-mat during any well-publicised "audit".)
Paris; because that's the attitude.
Hmm, been there.
I remember some years ago when a shiny, new passord policy came out, mandating a capital letter and a number.
I helpfully pointed out that we were a mixed environment in which many systems still only accepted 8 character passwords and that users are lazy SOBs who prefer to use just the one. Thus, what they'd effectively just mandated was a seven character dictionary word, with the first letter capitalised and a number tagged on the end. I also opined that said number would usually be zero or one.
The number of red faces around the table when I trotted that out was a joy to behold.