The Absurdity of Corporate Password Security Policies

My password to the Washington Post Company’s intranet recently expired, so I was prompted to come up with a new one. As I usually do, I had the handly app 1Password generate a random 10-character alphanumerical string—fPCxHn6Z2G.

That got rejected as insufficiently secure. You see, it didn’t use any special symbols! And everyone knows special symbols are the key to password security. So I tried M@tthewYg1esias instead. That worked. After all, it’s got upper and lowercase letters, a number, and a symbol. No hacker could ever crack that kind of security. Now fortunately it was easy enough to have 1Password churn out a string that was both actually secure and that fit the corporate policy. But it’s a potent sign of how dumb we continue to be about passwords. What’s even stranger in this case is that the company’s official training materials about password security are actually quite good, and it shows that on some level the firm clearly has a strong grasp of information security procedures. It’s just not in any way aligned with the actual way the company operates.