I've been cranking out a serious number of content management systems lately. You know, those little back-end, password protected parts of your blog or website that allow you to change content on the front end? Different clients have different security needs, and I've certainly seen my share of inconsistent requests lately.

Encrypted, case sensitive, at least 8 characters—but not more than 16 characters, must include at least one number and one symbol and can't start with a number or symbol, must change every two weeks and can't be the same as your last four passwords... passwords... pass phrases, tokens, reminders, https, ssh tunneling... I've had clients request them all, and still want to accept credit card numbers through email.

A recent project and a voice mail (and perhaps, the redundancy of the above) got me thinking... Is there such a thing as too much security?

A Recent Project

I was demoing a multiple choice quiz based training program to a client—complete with scoring and my standard user name/password/email reminder library—when they were put off by the fact that their users had to remember a unique user name, password and have a valid email address. I explained the reasoning, and how easy it would be for folks to reset their login information by simply putting in their email address. They still wouldn't have it, though.

They had come up with a pre-determined numbering system that made no use of user names, passwords or emails, and insisted it be implemented instead. Without going into too much more detail about the project, we'll just say that with this system, it would be extremely easy for anyone to gain administrator or plain old user access to the system and modify content.

Surprisingly, the client actually came back with pretty decent reasoning for this much less secure implementation. The content at risk is extremely negligible. In fact, the entire purpose of the system is fairly lack-luster and insignificant to most of the population outside of the field, and many inside of it I would suspect. Repairing compromised data would be extremely trivial, and since the database has no more than basic read/write privileges, I figured why the hell not. After all, I had done my part by offering an extremely secure solution, explained the risks of their solution, and covered my ass on paper.

It was a new one on me, and in the wake of the Microsoft Certified IT esq onslaught of security demands I had been put through, this was rather quite refreshing.

A New Voice Mail Message

I hate talking on the phone. Even to people I know. I much rather email, IM or speak in person. I'm fortunate to have a job that lets me keep phone conversations to a bare minimum. Going in and out of programming mode is difficult when you are kicking ass, and my bosses recognize this.

I keep my phone on "Do Not Disturb." This means that when you call, you go strait to voice mail. When I come to a nice breaking point, I regularly look over for the rare chance to see a blinking voice mail light. A week ago, I actually had one. I dug out my handy telephone cheat sheet for the instructions to get into my voice mail, as well as the instructions for how to forward the call to the person it was most-likely intended for.

I pressed the voice mail button, and the nice lady who usually asks me for my password—the same lady that I could swear has asked me for my voice mail password at every job I've had—instead informs me that my password has expired and that I must now change it!

A voice mail password that expires is simply WAY too much security for me. I've had the same voice mail password at every job I've had. In fact, I have a baseball jersey from my last job with my voice mail password on it. The voice mail lady should know this, since her list of previous employers is strikingly similar to mine.

Suddenly I am forced to think of something new, just to retrieve a message that is certainly not meant for me. I thought back to the log-in number project. I envied my client's right to request deminished security measures on their order. I wish I could order a phone that just spoke my messages aloud as they came in.

Multiple Moving Targets

The point where the effort to implement security measures far out weighs the benefits they offer to the majority of the people relying on them is a moving target. This is just as true in technology as it is in real life.

As my wife and I walked our two small children home from the park last evening, we encountered a pit bull tied to a tree on our path to exit the park. I think I probably had the animal by about 40 lbs. On my own, I doubt he would have gone for me. With two small children in his midst, however, he went into full eye contact mode. Despite the fact that he was tied to a tree, we turned around and chose the far exit of the park, even though it added a significant distance to our walk home.

In this case, the small tree and natural fiber leash were not sufficient security measures for me. And the added distance to our walk was a worth while precaution. While on my own, I may have chosen to ignore the beast and rely on my natural disposition as a dog lover and eye-gouging philosophy to animal attacks.