|
Reads like you are trying to argue for abstinence only education here. The reality security must operate in is that the best security policies are those that people don't circumvent. If people have to resort to sticky notes, sharing credentials, scripts that automatically update a file containing a plaintext credential, or what have you, odds are that security has massively fumbled the ball. Keep in mind this is already intuitive enough for everyone, even the security minded, within some set of social and or professional norms. No one uses one time pads for common password based authentications, nor do they rotate passwords daily, nor do they require 64+ characters. We don't do this because its obvious to everyone that business would be too great, and people simply would not comply. Many security teams seem interested in pushing that boundary as far as they can without regard to what the probability density function of compliance actually looks like. I say this as my password for Nationwide Children's Hospital has officially become the first password to cross that line for me, and now lives in a paper notebook. Forced reset, 2FA mandated, requiring 15 characters, upper, lower, number, and special char (but only a subset of special chars). Maybe its overkill that the place I go to fill out questionnaires about baby poop, has minimum password requirements such that the entire world's computer would take over 10,000 years to crack. |