In Linux when I use SSH I usually pass the host and port and username on the command line and then type the password when prompted. (In those rare cases I don't use certificates to log in without a password.) In Windows, PuTTY makes you pick a host and port and then prompts you for the username AND password.

This leads to unpleasant results. I'm so conditioned to open SSH and type my password at the prompt and hit Enter that I often end up typing my password as my username in PuTTY. Bad.

I've sometimes opened webpages that have some stupid Javascript bullcrap that tries to auto-focus the username field in a login form. But if you're a fast typist (and mouse-ist) like I am, you can focus the field, type your username, and hit tab to get to the password field before the long-loading Javascript bloat has a time to load and run. Which can result in auto-re-focusing the username field, which if it happens at just the right instant, results in my typing the password into it and pounding Enter before I have a chance to notice what's happened. Bad bad bad.

I use a computer far too often to have time too read every prompt, which leads to bad things. Anyone who's used to flying around an interface at light-speed by instinct and repeated learned behavior has experienced this kind of thing I'm sure.

This is horrendously bad because these programs often log the usernames of login attempts in plaintext in logs that lots of potentially evil people have the ability to read. The logs don't usually log the passwords of login attempts, but if you type a password AS a username, oops, you're screwed. Thankfully I'm root on most or all of the machines I ever SSH to, and I can go into /var/log and erase my mistake from the logs before anyone can see. But that doesn't help for web pages I don't know. And I wonder how often this kind of thing happens to other people. I wonder how many people who aren't familiar with computers accidentally send their password as their username to a bunch of websites.

After all the effort we go to to try to secure computer applications, these kinds of stupid human factors can still so easily ruin everything.

I don't understand having a policy which requires people to change their password every couple months. We have that kind of policy at work and I don't quite get the reasoning behind it.

If someone guesses your password, changing it isn't going to defeat them. The damage is already done. If someone is trying to guess your password, again changing it doesn't necessarily help. Imagine someone doing a dictionary-based attack and trying a million passwords one after another. If you change your password to something they already guessed, then they will finish their attack unsuccessfully and will have to start all over, which is good. However if you change it to something they haven't guessed, they may actually end up guessing your password sooner than they would have, depending on where in the remaining list of passwords you jump to. Worst case scenario is they still guess it, but it takes a bit more time. And what are the chances of changing your password right in the middle of being attacked in this way? This is so stupid that I don't think it's an actual justification, but it's the first thing that came to mind.

There's an argument to be made that accounts should "expire" after a certain amount of time, and forcing you to change your password every couple months prevents old, still-active but unused accounts from accumulating. If an old inactive account is compromised, a malicious user could possibly use the account for an extended period of time without anyone noticing (since no authorized user is using the account on a regular basis). This is my best guess as to the rationale for this policy. But it seems to me that this policy could be implemented just as easily by checking the date an account was last logged on. If I use my account every single day (which I do) I shouldn't have to change my password for this reason.

In practice, forcing people to change their passwords all the time ends up being counter-productive, in my opinion. People can't remember one password, let alone multiple passwords due to changes over time. So everyone thinks of a password, slaps a number on the end, and rotates the password by changing the number. Or something similar. At the very least, I think an argument can be made that the more often you have to think of a password, the less likely you are to think of a GOOD password. If it's a hassle to constantly change it (which I think it is), people will pick short, easy passwords, which is bad. Either that, or people will resort to the infamous "sticky note on the monitor" trick.

I pretty much never change my password on my home computer, unless I do something stupid and think I may have compromised myself. Maybe this is dumb, but I can't see a need for it.