Passwords
Scott Pfitzinger
This consultant is working on a Web development project for a client,
and he's also got a nontechnical intern to keep busy. Fortunately,
that's a solution, not a problem.
"Part of the project included setting up about 150 user accounts for
the client's customers to log in to a secure portion of the site and
download their reports," says the consultant.
"Setting up 150 user accounts seemed like a simple enough job, would
keep our intern busy and took a task off my plate. I gave him a list
of usernames and showed him how to set up accounts on the server."
In fact, he gives the intern some further guidance. From past
experience, he knows that passwords consisting of random letters and
numbers make security gurus happy but drive users crazy -- either
users can't remember the gibberish passwords or they constantly
mistype them.
He explains all this to the intern and instructs him to create
passwords that consist of a word from the dictionary, followed by two
or three digits.
Next day, the consultant checks with intern to make sure the job is
complete. The intern shows him the list of passwords. And sure enough,
he's done exactly what the consultant suggested -- with one extra
twist.
"Rather than creating passwords like 'book345' or 'house57,' he
instead found a list of the 200 most commonly misspelled words to
generate the passwords," the consultant groans.
"Being under a tight deadline, there was no time to create new
passwords and test them. So we launched the Web site and gave the
users their passwords. As expected, we fielded numerous support calls
from users trying to enter passwords such as 'accommodate85' and
'asphyxiate33.' "