Here is the password policy of one very large financial institution… seriously?  I have and use a hand full of passwords for various online accounts which I have used since the beginning of time.  Most people will run out of variations on the common pass*word* that they will begin to form really bad habits, making their online accounts less secure.  Like say, writing passwords down on paper or saving them in a insecure file on my computer (which I do from time to time) undermines the very security that was meant to be in the first place. 

Then there’s my wife’s headaches of working with the online account tools of a local bank in a suburb of Seattle, that forced her to have password reset codes sent to her cell phone repeatedly because the bank’s website no longer recognized the browser or PC that she used to login.  That’s typically a problem when your identity is tightly embedded into the PC or browser via cookies or registry values that is supposed to help prevent unauthorized access.  Over course of several days, using one of several different PCs in our house, she managed to re-verify herself and lock out her account 3 times.  What s dreadful password policy that other smart people undoubtedly have endured….  As if we don’t have enough phone calls to make or things to do in one day. *sigh*

 So what’s the answer?

Listen to your customers!   Balance end-user compassion with account security and privacy mechanisms.  Password policy need not be so complex.  Some solutions, such as Oracle Adaptive Access Manager, work on the back end monitoring login attempts based on signature files and patterns of hacking activity, which in turn can result in a huge boost of compassion for your end-users.

So what are your experiences with insane password policies?  How many passwords do you have?