We recently had a new password policy implemented at the office. We changed from an 8 character complex password (3 of 4: alpha, number, capital, special char) to 16 character simple passwords.

DFUs kept forgetting their passwords or typing them wrong and locking them. I really wonder if the stats have changed and the number of unlock/reset requests have dropped. As an admin it is really frustrating, having to type 16 character passwords in everywhere. On a daily basis I will log into a number of different servers as well as set up new services and applications all requiring authentication. On an odd day I could easily see myself authenticating a few hundred times.

The irony of the whole situation is that admin/super-user accounts have actually become even more simple. Where previously we would use something like “~@dm.5vc!” we now use something like “passwordpassword”. The most common password (even for admins) appears to be “1234567890asdfgh”. The kicker to my whole story here, is that we actually had a 3rd party auditing firm (KPMG I believe) recommend this as part of our “security” audit.

This post is sponsored by companies who follow “best-practices”.