WSJ.com – Trying to Remember
New Passwords Isn’t
As Easy as ABC123: “Before joining Fortinet, Mr. Kwan spent 15 years as an internal techie for three Silicon Valley companies. There, he repeatedly saw human nature defeat well-intentioned computer-security rules. When he was called to work on a computer and the regular user wasn’t there, Mr. Kwan would pick up the keyboard. It was a good bet that he would find a password scribbled underneath. “We found a lot of bizarre passwords being taped all over the place,” he says.
The Sarbanes-Oxley law doesn’t mandate periodic password changes. Nor do the Securities and Exchange Commission rules implementing the law. Nor does the “guidance” issued by the Public Company Accounting Oversight Board, the nonprofit corporation that Sarbanes-Oxley created to regulate audit firms. Nonetheless, password changes have become a standard feature of management strategies to demonstrate compliance with the law.
One impetus appears to be the IT Governance Institute, a Rolling Meadows, Ill., nonprofit that brings together tech executives from big companies with representatives of major audit firms. The institute’s “control objectives” for Sarbanes-Oxley list regular password changes as an “illustrative control” to prevent tampering with corporate financial systems.”
you get workers put in near impossible positions. too many passwords ruins security on the human scale and does not increase security at all.