I have recently run in to a couple websites which have a very annoying “feature”. Basically they have taken an internal policy applying to passwords and forced it externally on their loyal customers. This “feature” is to remember every password you have every previously had and not allow you to use it again. I don’t know what ‘Genius’ inside these linked companies thought this might be a good idea because this is how they run things with in the corporate walls, but out in the real world all that they are doing is forcing loyal customers to pull out their hair.
You may say “So what? That is a good way to protect the data, my company does the same thing.” Well corporate security has a good reason to force that on their employees, because they are protecting the intellectual property of the organization. Plus if that doesn’t work for you, they are paying you. I don’t know of anybody who says thank god for Company X they make me change my password every X months or every time I forget it. So what you end up with is a password that you have to write down or make so simple your 8 year old could guess it because it is not one of your standard passwords or phrases that you have developed and homed over the years.
Now combine that with the mandatory reset policy, that these companies have, if you happen to mistype the password 3 times while trying to guess which of your passwords it is. Oh and of course your password cannot be the same as any of your previous passwords, so you have to make it up on the fly, and after going through this process a couple dozen times you have used all your passwords that are common. So you get in to this repeating process of having to do a password reset each and every time you visit the website.
I really don’t understand most of the time what they are trying to protect. I can understand GoDaddy doing this, because it would be easy to transfer out valuable domains that people own, but what kind of data are people going to steal from Verizon Wireless, my credit card account is not shown, and I don’t really care if somebody sees how often I call my parents or wife.
I call on these companies and any company who uses this practice for external customers to remove this ‘feature’, while the intentions may have been noble the execution in the real world falls flat on its face. If anything this should be an option for customers, but then again I don’t personally know of anybody who would volunteer for this “feature”. If you really want to secure your customers against identity theft start implementing alternate authentication options such as OpenID or CardSpace.