joe shaw

I hate the Novell password policy so much. It’s a well-intentioned but fatally flawed policy that is self-evident as soon as one encounters it the first time, let alone the fifth. It inherently fosters some very insecure practices that would become very obvious had there been any user testing on it at all.

The problem essentially is that they make you change it at all, but particularly so often. Passwords expire every 90 days. But you start getting reminders about how your password is going to expire 30 days before, so really you have 60 days. The password they want is long, with a variety of types of characters — which is good for security, no question — but these two things compounded means that you essentially have a random password of 8 or more characters that you have to remember for 60 to 90 days.

I have this weird thing for trivia. I can retain these totally useless facts, like that Paavo Nurmi (probably sic) was known as “The Flying Finn” for his track and field domination, or that Uzbekistan and Lichtenstein are only two doubly-landlocked countries in the world. It makes me wonder if there is a finite amount of storage space in my brain and that retaining these facts pushes out pleasant childhood memories. But anyway, for whatever reason, I suck at remembering ten-digit phone numbers unless I make a conscious, repetitive effort. Along the same lines, I also find remembering long passwords with random characters quite difficult.

So what I end up doing — and I know that a lot of others around the office do the same thing — is committing the Number One Cardinal Sin of Passwords:

I write them down.

Sometimes on a post-it note that gets attached to my monitor, sometimes in a file on my machine, these days in a Tomboy note. Yeah, eventually I memorize them, but that takes time and I can’t take the chance of forgetting my password when I no doubt absolutely need it at 3 am. I’ve jeopardized security because there’s now a record of my password somewhere in the physical world that someone could conceivably, although unlikely, get to. If I were still using my first password, that I’d never written down or told anybody or used on anywhere else, the only place it exists other than the system itself is in my head, where no one can get to it. (Aside: if you have an invention where you can read other people’s minds, please email me, I am interested in subscribing to your newsletter)

By changing my password, have I really acted in the best interests of protecting Novell’s security and intellectual property? I think not.

Then there’s the issue of convenience. I haven’t used the whole stack of services in the Windows world, but in Linux we definitely don’t have the whole single signon thing yet. I have to type my password in the browser whenever I log into the intranet, into Gaim when I’m using GroupWise Messenger, into Evolution whenever I send or receive mail, into the iFolder client, etc. Now, because we’re living in the 1990’s each of these apps can remember my password, but I have to go through and type them into every one of these the first time I use them after I change my password. For services that I don’t use very frequently, like iFolder, I have to remember sometimes weeks down the line that the reason why my password is being rejected is because I changed it some time ago. How irritating.

But wait, there’s more! The authentication services for Ximian, SUSE, and Novell aren’t all tied together quite yet, and because I can’t remember a million different passwords I tend to use the same one for all three. So whenever I change my Novell password, I have to remember to go and change them in the Ximian and SUSE systems. Yay.

If they’d just let me keep “a1batr0$$” in the first place this wouldn’t be such a big deal.