Crap security advice

If you use a corporate provided computer system, you probably have a number of passwords to "remember". You probably have these written on a postit attached to the monitor or stored in a convenient file on the desktop called Passwords.doc.

Here's some advice a dude with dodgy hair at Computerworld that explains why:
Use strong passwords: No user password should be shorter than eight characters. It's even better if they are nine or 10 characters long. Elevated accounts should have even lengthier passwords. Passwords should not be shared between internal and external sites, and they should be changed every 90 or so days.

Users won't remember those passwords. Particularly if they access an "elevated" system like payroll that only needs to be accessed every quarter. They'll be on postits or in files.

Look, if the data/system is too important for a six character password it should be protected by two factor authentication, like one of those security dongles you see. Otherwise you might just as well hand your users a printed card with the password on and tell them to keep it safe.

And while I'm at it, something that wasn't recommended in the article, but which is very popular, is to have a convoluted system of forms and approvals to get a login. Which pretty much guarantees that once Doris in accounts has finally obtained a password for the payroll system, it'll be written on the whiteboard for the whole office to use.

No?