Wed 12 Jul 2006
That dreadful peice of software Lotus Notes prompts for a password change at regular intervals. It does not permit you to use the same password used before. A similar situation occurs with opening Microsoft XP. Whilst this may be considered to be more secure from a technology point of view, it betrays human behaviour. Generally we humans adopt the most parsimonious strategy for getting on with life. We go for simplicity. I’ve tried to be clever with my password strategy, but I’ve just run out of unique passwords that I can remember. This morning I was struck down with password amnesia. Ten minutes spent trying to remember my passwords. So I can do one of two things. Write the passwords down. Hardly secure. Or adopt a common strategy of selecting a word and adding a digit to it. and incrementally increasing the digit at every password change. This will undoubtedly compromise the goals of complex passwords regularly changed, but how much easier is it to have “Password1″ this week and “Password2″ the next. (That’s not my passwords BTW. Obviously.)
July 12th, 2006 at 5:59 pm
You are entitled to think whatever you want about Lotus Notes, call it dreadful, etc. — but please be aware that this is not the default behavior of the product. This was a choice made by the Notes administrators in your own organization. They have bought into the (foolish, IMHO) conventional wisdom that requiring frequent password changes and dis-allowing re-use improves security because it guarantees that any hole opened up will be closed within a short period of time. Lotus Notes allows this choice in order to accomodate the people who believe this, along with various other options for managing passwords — including requiring no changes at all, ever. I have had the same password for Lotus Notes for 13 years now. Of course, it helps that I am the administrator, so I set the policies. So anyhow in this case your argument is really with your own company’s policies, not with the product.
-rhs