Trying To Force Strong Passwords Futile, Counterproductive

The almost daily reports of consumers and retail employees using either weak passwords or the same passwords in multiple places—or both—is being met with yawns by retail security executives. But the kneejerk response—forcing consumers and associates to be smarter about security—has had little effect, beyond being counterproductive.

For example, a company can automate rules for choosing passwords and require that they be changed periodically. But the stronger the password, the more it will fuel its own failure. Let's say the rules require that passwords be at least 11 characters and include numerals, characters and non-traditional characters (&, %, |, @, #, ~, etc.). Add to that requirement that no character or number be repeated and that each password must pass a dictionary search. Sure, you'll get a strong password, but you'll also almost guarantee that that password will be written near the computer in plain sight as well as typed into a desktop file in clear text. As Newton's IT director said, "To every password action, there is an equal and opposite stupid user reaction." This is the topic of this week's StorefrontBacktalk column on the McAfee security blog.