Computer: Security: Password
Background Password Amnesty Period   (+13, -7)  [vote for, against]
If you can't remember that password then maybe you should choose another.

Many office systems force their users to change their passwords on a regular basis. If I forget my password, it'll always be the day after I changed it. The new one just hasn't fixed itself in my brain yet.

In cases when the password has been changed routinely, rather than to counter any specific security threat, the old password could remain active for a week as a background password.

Should a user enter a password wrongly (three times in a row) within the first week of a scheduled password change, they would be taken to a screen where they can change the new password to something more memorable, using the old password as authentication.
-- st3f, Nov 02 2004

+, though it wouldn't have helped me when the system made me change my password the day before a two week vacation.
-- swamilad, Nov 02 2004

Not sure if this solves the problem or just defers it for a week or so - if you can't remember the new password, you're just going to keep entering the old one.

From a security perspective, this makes the systems twice as vulnerable, and the kind of person taking advantage of it will likely be picking soft passwords too (eg. name of dog, spouse + year of birth, favourite team etc). Regretfully, a fish.
-- DocBrown, Nov 02 2004

swarmi...: Maybe it could be based on number of successful logins as well as a longer time period. Maybe not, though. The longer you extend this, the greather the risk.

Doc: You couldn't keep using your old password as it no longer gets you access to your files; it is *only* used to change the access password (which is a pain to do every morning). Plus, it would expire. There *is* an increase in vulnerability by having two passwords but I'm hoping that making the password system easier to use will result in less passwords getting written down.
-- st3f, Nov 02 2004

Hmm...I see another problem [dons balaclava]. One try, two tries, 3 tries, enter new password, stolen your account. Granted it depends on having the old password, but it's vulnerable being old...
-- DocBrown, Nov 02 2004

It's not that old. You were using to secure your account only last week.

That did get me thinking, though. Maybe this should be a one-shot deal. You can rescue a password only once until the next scheduled password change. This would make any successful hack more obvious.

[explanation requested by DocBrown below]... If you allow the user to reset the password using this method multiple times then no alarm bells will ring if an unauthorised user (who has managed to get hold of the old password) does so. The user will just assume that they've forrgotten the password again and reset it. This would give the unauthorised user a whole week of out-of-hours access to the account.

If you restrict the user to a single reset then the second triple of failed logins will direct them to a screen telling them to call IT so that they can reset their password. If you are security-conscious, the first question you can ask (reading back from the log-files) is whether they reset their password at three the previous morning.
-- st3f, Nov 02 2004

The fact that you were using it recently is no bar on it being old - it's at the end of its life is what I meant, where it's adjudged to have become old enough to start being at risk of compromise.

I think this should definitely be a one-shot deal, but I don't see how it makes a successful hack more obvious - explain!

EDIT: Cheers for that [st3f], have changed vote accordingly.
-- DocBrown, Nov 02 2004

Another security enhancement for this would be to notify the network administrator whenever the feature was used. Depending on the sensitivity of the situation, the admins could take whatever action was necessary. For example, an automatic email to the person's manager might be about the right level of security and would significantly reduce the amount of time that the network admin would have to spend dealing with forgotten passwords.
-- scad mientist, Nov 02 2004

Adding to [scad]'s thought (okay, little divergent) is to allow the password concurrence or overlap to occur only on policy-scheduled password changes but not on un-scheduled changes imposed due to a detected or potential password security breach.
-- bristolz, Nov 02 2004

Maybe you could also choose how you want to enter your security information. If they have a palm reader, key pad and retinal scanner, and depending on the user you may use one or two of any of those devices, then outsiders not only have to match up the user but they have to match up their possible method of security info. +
-- sartep, Nov 04 2004

You can get around problems like this by using a secret ordered list and basing your passwords off items on that list. Combine this with a consistent pattern of capitalization and use of punctuation, and you’ll have a set of strong passwords that are easy to remember.

For example, let’s say you use the months and the number of days in them. Your passwords could be jAnuary-31, fEbruary-28, mArch-31, aPril-30, and so on. When you get to December, start over – it shouldn’t be a problem for most systems. If you forget a password, it shouldn't be too hard to figure it out with a few guesses.

Naturally, this system works best when you use a list that's only known to you -- grade school teachers, ex-flames, etc.
-- harebrained, Nov 05 2004

//Many office systems force their users to change their passwords on a regular basis//

This idea would not work if the office system changes password every week.
-- nomadic_wonderer, Nov 05 2004

random, halfbakery