Letters to Redmond
January Letters: Readers Debate One-Time Passwords and More
In his January Decision Maker column, "It's Time To Lose the Passwords!" Don Jones suggested companies should stop forcing users to remember long, complex passwords, and instead make the move to token-generated, one-time passwords. Here, two readers weigh in:
Despite Don Jones' pedigree, I must point out that his entire article is based on a false premise: that users are stupid and/or lazy. I've been able to implement password policies in organizations that use complex passwords -- with an average length of more than 40 characters -- with a 95 percent rate of user approval. (I guess the other 5 percent were lazy and/or stupid). The reset rate was close to 0 percent. It's not difficult to do, it requires less than five minutes of training and it makes rainbow tables an irrelevance.
Christopher D. Bell
Glossop, United Kingdom
My problem is that the people highest up in the company think that a 10-character password (let alone a 12-character or 40-character password) is unnecessary. If I can't convince them, it doesn't matter what the other 90 percent or 95 percent or even 99 percent think.
A reader responds about the Google "Omnibox," an address bar/search box combo described in the recent feature "Internet Explorer to the 9s" (January, 2011):
"Google innovated on top of [search boxes located right in the browser] by making the Chrome address bar for URLs also serve as a search box." Well, IE 8 does this, too. If you place a pre-pending '?' (plus a space afterwards) and then type what you want to search for, it works. Try it.
There's a lot that IE 8 does that's not generally known. Microsoft marketing could be better.
In a Jan. 15 blog post ("New Year, New Microsoft Flaws"), Redmond Executive Editor of Features Lee Pender wrote about an active Microsoft security flaw revealed by Google. He asked, "Is Google acting irresponsibly by disclosing un-patched Microsoft flaws?" Here, readers respond:
Anyone who finds a security risk in any software and makes it public instead of letting the software maker know about it is irresponsible. In addition, they should be held responsible for any "hacks" created after it was made public, because they told everyone about it. Google is very unethical in how it runs its business, and will do anything it can to hurt the competition.
When Google informs the public instead of Microsoft, yes. That's like crying "Fire!" in your competitor's restaurant, instead of telling the waiter the stove is flaming a little too high.
If the product is defective, remove it from the public. Don't beat up the whistleblower.
Having given Microsoft more than adequate notice (nearly six months), I think it was perfectly fair to release the information.
This page is compiled by the editors of Redmond magazine from your letters. Write to us at firstname.lastname@example.org and if your letter is printed in the magazine, you'll be entered into a drawing for a free Redmond T-shirt.