Information Systems Agency my . . .

[andysocial]

[organization] will be enforcing strong passwords to ensure that [network] logon passwords are compliant with current password policy. [network] password policy is based on recommended settings provided by the National Security Administration's NT Security Technical Implementation Guide.

IMPACT TO CUSTOMERS: Each new password will be evaluated according to current [network] standards for robust passwords as itemized below. A new password that does not conform to these standards will be rejected and followed by a dialog box to explain why the password does not comply.
PASSWORD CRITERIA:
Passwords MUST:
1. Equal exactly 7 characters (no more, no less)
etc.

So, um, a password of a fixed length (rather than the much more common "at least 8 characters") is strong security? Yeah, ok. Thank you for making it easier for crackers to break in. No reason to check for random length passwords, because they know they'll all be the same length.

Comments

[alparrott.livejournal.com]

I can scarcely believe you, of all people, are insisting that an organization with the word "Defense" in its name operate using common sense and logic.

[andysocial]

You'd think they'd at least follow "best practices" in the IT industry. Most places I've worked in the past 7 years have required passwords of at least eight characters, and every security expert would laugh at both the shorter 7-character passwords, and the fixed length (i.e. predictable and exploitable) of the passwords. Amazing.

Can I have their jobs now, please? I know what I'm doing at least...