"A jungle out there." It's getting to be a jungle out there. The Internet is no longer a place where you won't be bothered if you just keep to yourself and avoid risks. Three incidents that have happened to me in the past three months will serve to illustrate.  »

Read my paper from ISTAS 2002 on choosing passwords, and answer some of the following questions.

• Do you agree or disagree with any of my recommendations (Section 6) for an ethical policy on choosing passwords? Why or why not?
• Should you use the same password for many or all sites and services you access? What are the advantages, and what are the risks?
• What scheme do you personally use for choosing passwords? What scheme would you recommend for choosing passwords that are memorable but not guessable?
• When a user can't remember a password, most sites either (1) mail the password to the e-mail address the user has supplied, or (2) ask the user to answer a challenge question (e.g., mother's maiden name or favorite movie) and then reset the password. Which is safer? Why? What other action might a Web site take to allow password recovery?
• How is a forgotten user-ID (or "login") different from a forgotten password? Should a site take the same action when a user needs to recover an ID as it takes when a password must be recovered?
• NCSU eventually plans to require users to change their Unity passwords every 90 days. Will this improve or diminish security? »