At school today, one of my classes took a trip down the hall to a computer lab. Upon logging in, I was faced with a prompt, telling me that my password had expired and that I needed to change it. “Cool,” I thought to myself, “our computer administrator actually cares about security on our school’s systems.” Clicking the “OK” button (which was my only option), I proceeded to the Change Password prompt. And it was here that I realized how dumb our school administrator had been in implementing this required password change.
At the prompt, I quickly realized that I could not use any decent passwords. Trying to use any combination of numbers, letters, and symbols (e.g., *) failed. A message telling me that my new password was invalid was the only feedback I got. Furthermore, I couldn’t log into the machine until I had successfully changed my password. Cutting the symbols out of the password, I continued to try. Again, I was greeted with failure. Were letters the only valid characters? No dice their either. I sat back, unable to change my password and unable to log in. Then it struck me. “I’ve probably got to use my phone number, don’t I?” My school has typically used phone numbers as default passwords in the past, so it seemed a likely solution. Bingo! My password change was successful, and I was finally able to log in.
Of course, using your phone number for a password isn’t exactly a great solution. Obviously, anybody that knows your phone number can log into your account, access all of your files (ignoring the fact that you’d be stupid to store any really sensitive information on a school computer, anyways), but worst of all, they are you for all the administration is concerned. So, for example, if I have a friend who knows my phone number, logged in as me and looked at some pr0n while using my account, there would be more than a little bit of trouble coming my way. Furthermore, I’d have no way of being able to prove my innocence.
With an understanding of the flaws of using my phone number as my password, I went back to try to change my password to something a little bit more secure. I tried a random string of numbers. “Invalid password change,” the screen informed me. Even passwords made of strings of ten numbers, the same number of digits that are in phone numbers, resulted in failed attempts to change my password. The only password that I could use for my school account was my own phone number.
Don’t get me wrong here, I’m all for security. Strong passwords are essential for keeping your information and identity safe from potential theft. Changing your password every so often is a great idea, as it will do nothing but make it harder to hack into your account. However, implementing a required password change and then only allowing users to change their password to a certain thing is retarded. It completely defeats the purpose of not only expiring passwords, but security in general. Even a password of abc123 would be more secure than using your phone number. Mind you, I’m not sure what else I was expecting. Our computer administrator has blocked all common webmail sites, right clicking, and even all image searches on the school computers. When we had a permissions problem one class (a file our teacher had saved on my school’s shared network server had no read privileges for students), he managed to spend a full 45 minutes trying to convert the Word document into different formants instead of just changing the permissions on the file, and never managed to solve the problem. I haven’t used a Windows machine outside of my school’s locked down systems for two years, and I’m pretty sure I could do a better job of being administrator than our IT guy.
The next time I logged in, a dialogue popped up, informing me that my current password will expire in 30 days.