Breaking bad password culture Yesterday I was in a committee meeting, and I had an action item to create a password for a resource that only the committee would access. The password I created consisted of four random words separated by whitespace; a total of 22 characters. This was my foray into an institutional lesson on length vs. complexity. The reaction was immediate - everyone vocal about it, hated it. It was astonishing that because this password did not conform to their expectations - that it would be shorter, with (likely) an illusion of complexity - they were immediately and passionately dismissive. I attempted to plead a case - if I told you the password was going to be 22 random characters long, would you have any hope of remembering it? No - we would write it down, like we're going to do with the one you just gave us. Lost I guess was the notion that the password I created actually has a chance of being memorized. My intention then was to use this simplistic passphrase example and massage the complexity over time, such that we reach a point where the idea becomes more natural and reflexive. We are a very old institution, and this password culture runs very deep. We have to start very, very slow. So this first bite of the apple cannot jump directly to the desired end state. I guess I hoped for a more positive initial reaction, but was taken aback at how fiercely opposed some would be that I had not opted for the traditional password security theater. That instead of openness to a new, fresh approach, there would be instinctive and unfounded reluctance. If anyone has helpful anecdotes or approaches I'd love to have them shared. |