I hate P@55w0rd policy and security questions

思然 oce
5 min readMay 23, 2018
Photo by Matthew Brodeur on Unsplash

In the old days, most people pick passwords that are easy to remember. Even nowadays, sometimes we still find end-users using simple passwords like asdf1234 or password during our password brute-force hacking check. There are also some seemingly very “creative” passwords, like fxxk<bossname>, ilove<private body parts>… But believe me, many people have been doing this so it is not really that creative.

This is understandable but unacceptable. Since users tend to pick simple password no matter how well informed they were over the security threat in the virtual space, the best way to prevent users from using a simple password is by enforcing complex password rules.

So no more birthday or phone number, dictionary words, etc. The system will reject your password by telling you that “Your new password does not meet our criteria, please input a password with more than 8 characters, at least one symbol like #$%$%, not same as your previous 10 passwords, etc, etc, etc……..”

I loved to see this message, as an IT Auditor / IT Consultant, this message implied my client had enforced strong password policy and hence less work for me, until one day this message popped up when I was changing my company’s password.

Since then, picking a new password becomes one of the most annoying tasks to me. Especially if you know me, you know how poor my memory is.

And to make thing even worst, we have to change our password every 60 days. So by the time I started to remember my new password, I am almost required to pick a newer password.

Many users are smart enough to do a password rotation, say the first password is p@55w0rd11, then the second one would be p@55w0rd12, and so on.

Nice try. And I have been using this trick until some security experts suggested a new password policy which requires you to have at least 5 characters that do not exist in your previous password.

Sometimes I even think there could be a conspiracy on this “password policy”. Maybe this is a way to consume human brainpower. Maybe something is collecting our brain wave for other purposes. (Maybe I watched too much X-files.)

思然 oce

PhD | Research Psychologist | Psychometrician | Computer Science Teacher | IT Auditor/Consultant | ex-CISA/CISSP | Top Writer in Humor | Work in HK, UK, USA