DMGThree Strikes Rule
Here at work, we have several rules regarding passwords:
- Passwords must be 8-10 characters long
- Passwords must contain at least one number
- Passwords expire after 30 days
- Passwords cannot be re-used
- Three successive failed login attempts results in the account being disabled on that machine.
And the kicker here is that most of the development tools we use do some kind of auto-login. When you try to connect to the database, they'll automatically provide your Windows username and password. This is intended to be handy.
But what happens when you connect to a database you haven't worked on in months?
The first thing that happens is that your "helpful" database client tries to use your current Windows login. Since the last time you used this database was more than 30 days ago, this login is wrong. So you've got STRIKE ONE against you, and all you did was open your database client.
You ask yourself, "When was the last time I worked on this server, and what was my password at the time?" So you take a guess. And it's wrong. Yes, always. STRIKE TWO
Now you have one guess left before your account is disabled, and you have to call the help desk and admit that you, a professional programmer, can't remember your password, even after three tries. What do you do? You guess again, usually with about a 50/50 shot at getting it right.
So 9 times out of 10, you end up playing a game with the computer. The game goes like this:
You have one chance to guess which old password you used. Hint: It's not $OLDPASS.
Password:
My solution: I use the same password for everything, and it's on a post-it on my monitor, with an expiration date and list of all the machines it applies to.
Actually, no. It's under my mousepad.