Absurdity password security policies.

The Absurdity of Corporate Password Security Policies

A blog about business and economics.
Aug. 5 2013 12:33 PM

The Absurdity of Corporate Password Security Policies

My password to the Washington Post Company's intranet recently expired, so I was prompted to come up with a new one. As I usually do, I had the handly app 1Password generate a random 10-character alphanumerical string—fPCxHn6Z2G.

That got rejected as insufficiently secure. You see, it didn't use any special symbols! And everyone knows special symbols are the key to password security. So I tried M@tthewYg1esias instead. That worked. After all, it's got upper and lowercase letters, a number, and a symbol. No hacker could ever crack that kind of security. Now fortunately it was easy enough to have 1Password churn out a string that was both actually secure and that fit the corporate policy. But it's a potent sign of how dumb we continue to be about passwords. What's even stranger in this case is that the company's official training materials about password security are actually quite good, and it shows that on some level the firm clearly has a strong grasp of information security procedures. It's just not in any way aligned with the actual way the company operates.

Matthew Yglesias is the executive editor of Vox and author of The Rent Is Too Damn High.

  Slate Plus
Medical Examiner
March 27 2015 5:16 PM What Happened at Slate This Week? Alison Griswold describes her experience reporting on the Germanwings tragedy.