They insist you change your password every few months. This is just crazy, and I have yet to script this, so every three months or so I have to log in and change the password and change the password on the system that does the logging in. I really must automate that!
Now, I would be quite happy if we just used a client cert on the ssl or some such, but no, they use a simple username and password. But why change it? Why not have them allocate a really long complicated password and say that if we use the one they generate then we don't have to change it?
Basically, if anyone did find the password on my systems then, like anyone else forced to change a password periodically, you will almost certainly be able to guess the next password, so forcing a change periodically is pointless. In this instance all I can do with it is download the reports anyway, so not exactly massively high security needed. Heck, why the hell do they not email the reports PGP encrypted, it would be a lot easier!
Anyway, as if that is not special enough - they decided to make a change to the rules for passwords, over a weekend, not tell anyone, and invalidate passwords that don't meet the new format, and not give any clue why you can no longer log in.
It has literally taken me all day to get this sorted, and have my account reinstated, and set a new password.
But, for your amusement, the new rules are :-
- Must not be the same as your login
- Must not be the same as any of the past 12 passwords used
- Must be at least 7 characters
- Must contain at least 2 numbers which must not be at the start or the end
- Must not contain 2 consecutive characters the same
It looks like they use upper case letters and numbers only, but they don't restrict to that thankfully, as that would mean they would have more than halved the time needed to brute force a password by adding these rules.
Why on earth do people do this?
I have emailed them http://xkcd.com/936/ but they won't get it!