For the last year, when I log into FirstClass1, I get a box prompting me to change my password. Unfortunately, the application doesn’t accept my old password. The fix? Ignore it; hitting cancel closes the box and I’m on my way.
Turns out this chagrin to system admins might not be so bad afterall. From a recent Microsoft Research2 study described by the Boston Globe:
… redoing [passwords] is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
Important to note, the study’s primary consideration is the collective amount of time it takes employees to routinely change their passwords:
“A lot of advice makes sense only if we think user time has no value,” [Cormac Herley] said.
I’ll continue clicking cancel more than I type in a new password, though I would recommend staying on the course of having different passwords across multiple sites.
Footnotes:
1 It would be semantically incorrect to link the FirstClass text above to Dear FirstClass, so I’ll do it here: Dear FirstClass.
2 Resisting the obvious pun…
This makes sense unless the crook is, say, your best friend or cubicle-mate and ran across your password in some local context (like written on a post-it over your desk
But yes, I think this is yet another case of administrators making unnecessary work for users to make it seem like they are doing their job.