Make something idiot-proof…

… and they will build a better idiot.

Honestly, there are days when I feel like people do things with my software just to dick with me. For years we didn’t enforce password complexity on ExchangeDefender, ergo 99.999% of the passwords at ExchangeDefender are “password”, “Password”, “Password1”, “P@55w0rd“, “P@ssw0rd“, “password123”, “1qa2ws” or “2ws3ed” and can be cracked by a three year old.

So I set out to write a password complexity procedure the other day, enforcing the standard MCSE complexity: at least 7 in length with the mix of three of the four options: lowercase char, uppercase char, integer, special character. So today I power on my laptop to see just how complex the passwords being generated are, thinking that people are starting to use passphrases, etc.

What I found made me scream out “Fuuuuuuuuuuuuuuuccckkk me, WHY!?$!@#” out loud. The password?

Abcd1234

Why, for the love of god, would anyone do that? Did they just look at the new password complexity alert and thought…

“Screw Vlad. What is the LEAST complex password I can come up with given the current restraints. Let’s see… how do I make this work… something everyone uses…. something sequential… start it at the beginning of that sequence. Oh, and I’ll capitalize the A for take that complexity Vlad, you Asshole.”

Thanks… whoever that was (anonymously logged)… I think my next method will check for password complexity and instead of throwing an alert or UAC or any of that annoying stuff that they can live with I will shoot back a 4096/1024bit key as their new password. “Dear Customer, The password you requested did not meet our password complexity requirements. Here is a 4096 char password to use from now on.”

Or sell them AuthAnvil….

I just don’t get it. Why spend all this money on perimeter security and protect it with a sequential password that can be guessed by a 3 year old?