How not to implement “change password”

[A brief rant before I tackle the explanation I promised in my last post]

At work we have to change our password every 60 days. The password is for logging-in to PCs, getting out of the web-proxy and logging-in to the shared diary system and more besides. Your password has to have at least one number and one letter and be at least 8 characters long. Pretty standard stuff. No problem with it.

But, the procedure for changing the password is fundamentally arse-backwards.

1. Receive email informing you of imminent expiration of current password;
2. Follow link in email to change password;
3. Reconfirm your acceptance of the T&C (ie scroll over them);
4. Enter new password;
5. Confirm new password by re-entering it;
6. Enter old password;
7. Thank you for changing your password.

So, in steps 4 and 5 Iyou have to create a new password that you can remember. All good. Remembering semi-meaningful streams of characters is something that most people suck at, but that’s OK. Passwords are where it’s at and will be for quite some time.

Then, just after you’ve used your new password for the first time(s) and it’s still fresh in your brain and your fingers haven’t absorbed it’s pattern and you’re still trying to imprint it in your memory in the space you reserve for “my work password”, then, just at the point where the possibility of remembering your new password is tenuous at best you have to remember your old password!

That’s not just broken, it’s evil.