General discussion

  • Creator
  • #2194381

    Dumb idea


    by zlitocook ·

    The company I work for has had the great idea to enforce a 30 day password change. That dose not sounds so bad but it is a change that includes a 14 character password with the user has to have one special character and two letters and one number. Well the people on my network have problems logging in to the network as it is.
    With this policy it will guarantee that the users will keep passwords in a place where they can find them.

All Comments

  • Author
    • #3142466

      Enforcing a password change and strong password policy is good

      by mjwx ·

      In reply to Dumb idea

      But this is just anal. 8-10 characters minimum with three non alpha (capitals included) characters should be more than sufficient to change on a 4 or 6 week basis.

      Users complain enough about that.

      • #3269402

        You know it makes me laugh

        by j.lupo ·

        In reply to Enforcing a password change and strong password policy is good

        because the only ones they are keeping out of the system are the users.

      • #3112589

        I disagree

        by watzman9 ·

        In reply to Enforcing a password change and strong password policy is good

        Mandatory Password changes are a double edge sword, and can decrease security. I have a couple of passwords that I use which are not words and that have both letters and numbers, and no one knows them and they are not written down (ANYWHERE). But faced with a “change it monthly” decree, I pick a word the the numbers 1 to 12 at the end and it gets written down. Security has not been enhanced, it has suffered. There is a strong argument that the password has been changed when I think that someone else might have discovered it, which is almost never since I never give it out to anyone, no one else knows it, and it’s not written down.

        • #3112488

          Make it even stronger

          by stephencairns ·

          In reply to I disagree

          worked at a place that had a fixed size od password, had to contain characters and numbers and could not contain more than 3 characters from the previous password. that would defeat you leading and ending number change. we use to phone the helpdesk every monday to get our passwords reset because we’d changed them on friday nd could not remember them.

        • #3110798

          Way to keep same passwod

          by t_edwan ·

          In reply to Make it even stronger

          We had a stupid system that doesn’t let you change your password into any password that is the same as the three last passwords to keep your password change it 3 times into different passwords and after that change it to your old one that always worked for me.

        • #3111689

          except if you put a minimum age

          by yannick ·

          In reply to Way to keep same passwod

          That way you won’t be able to change your password before whatever days have passed, usually one day is enough.
          of course that does not solve the problem of the users forgetting their password or writing them down. It all depends of which system you are protecting and what are the risks. Also you have to educate your users and give them tips on making easy to remember passwords. And of course let them understand why they need to have strong passwords.

        • #3113360

          Research Data

          by scminter ·

          In reply to except if you put a minimum age

          Does anyone know of any research into the effect of password policies on security?

          This all seems to be pretty much a guessing game. Everyone agrees that if you make the users change their password too often (such as hourly), security will not be enhance but rather lessened. If you never have them change the password security is not enhanced. Where is the sweet spot?

          I have never seen research to support the number of days that increase security without overburdening the users…have you?

        • #3113275

          yeah and…

          by Anonymous ·

          In reply to Research Data

          Has anyone heard of a breach that was in fact due to password guessing? This seems to get all the attention, but all the attacks that I am aware of were social engineering based, and as such, password strength doesn’t matter one iota.

        • #3113268

          Research on policies affecting security

          by dbmarts ·

          In reply to Research Data

          Some years ago I recall seeing a study from either a major vendor (maybe IBM?) or one of the big IT consulting shops that discussed in depth the effect on security of overly stringent password policies. It addressed many of the topics in this discussion, including the increased temptation to write down passwords when they have to be changed too often and the repeat restriction is too high.

          Has anyone else out there seen that study or have a link to something comparable that is available to help justify policies that have the right balance?

        • #3113261

          math problem…mostly….

          by Anonymous ·

          In reply to Research Data

          Actually, I put together a spreadsheet to help evaluate password risk, and the effects of various changes (max age, min length, lockout threshold, lockout duration.

          I also tried to factor in the basic social engineering factor the the majority of passwords are going to be a dictionary word(or words) of appropriate length.with our without complexity. I am sure there are areaa where it could be improved to provide more accurate results.

          Anyway, playing around with the numbers, if you account for the above mentioned social engineering factor, is only better than an all-lowercase password of same length, by a factor of 10. Decreasing max age from 90 to 30 days is only a single order of magnitude as well. If you really want to Strengthen your passwords. Increasing the length is what really helps. (ie going from 8 to 10 characters is roughly 3 orders of magnitude stronger).

      • #3111879

        I agree

        by markinct ·

        In reply to Enforcing a password change and strong password policy is good

        Overly strict password aging and retention policies all but force users to write their passwords down somewhere. Use of Active Directory/LDAP would help, but too often the AD policy doesn’t match the requirements on the Unix machines or mainframes. In our organization security is driven not only by our decision making but several other organizations to whom we are beholden… {sigh}

        • #3111760

          An administrator knows when he/she has reached perfection

          by mjwx ·

          In reply to I agree

          when they can make a system management proof.

      • #3113170

        Great passwordpolicy = don’t change password!

        by dajomu1 ·

        In reply to Enforcing a password change and strong password policy is good

        At work I need to fullfill 3 out of 4 criteria:
        1. 8 character lenght
        2. At least 1 big letter
        3. At least one number
        4. At least one special character like “.” or “?”

        This seems very stupid to me. No one will have the time to hack my computer password anyway if they are in the building. And If the got in (pysically) they only needed to boot from a livecd and copy the entire harddrive.
        Hackers usually tend to come in from the outside through the wire and then it is not my password they hack, but they exploit weaknessess on the servers and firewalls.
        Keep it simple with ONE password!

        • #3111497

          HIPPA Policy

          by rouschkateer ·

          In reply to Great passwordpolicy = don’t change password!

          That short and sweet answer will only work for companies that do not have to adhere to strict government HIPPA regulations about PHI.

        • #3168659

          All well and fine …

          by wayne_phillips ·

          In reply to Great passwordpolicy = don’t change password!

          … but most corporate offices provide remote access through tunneling software such as VPN. This allows their remote users (via destops) or travelling users (via laptops) gain access to their corporate network just as if they were in the office.

          At this point your comments are moot since stolen hardware or unauthorized use from home could theoretically allow all system access security to be compromised. At the end of the day it is really dependent upon what motivation there is for breaching security.

          If it is opportunistic then stolen hardware can be compromised in the time it takes to reset bios passwords (less than a few minutes) and reset administration passwords by booting from CD software such as Disk Commander (less than a minute) allowing possoble personal data to be stolen. No amount of password control policy can prevent this.

          If on the other hand the motivations are more sinister such as corporate DOS attacks, corporate espionage, or corporate / personal theft then password policies on their own are not enough. They should be just one aspect of a wider security strategy.

      • #3113083

        Simple Solution

        by spin2nz ·

        In reply to Enforcing a password change and strong password policy is good

        First…I admit that I have not read thru all the replies to this thread so if I repeat what someone has already said, here it is again.

        In regards to the original post. If the morons in control of the company are so anal retentive about impossible passwords for what could be legitimate security concerns, then why not make simple and foolproof by going to biometric passwords, and start using finger print or retina scans??

        nuff said !!!

        • #3113435

          But are they foolproof?

          by lodestone ·

          In reply to Simple Solution

          The fingerprint password system where I work can’t even tell my fingers apart. It asks for my middle finger and I always give in my index finger. (It actually scans properly more often that way!)


    • #3269404

      I feel your pain

      by j.lupo ·

      In reply to Dumb idea

      The company I am at right now (contract) is in a merger and the primary company has a 30 day policy on passwords, at least 8 characters with two numbers somewhere in the middle but not together, and it remembers the last 16 passwords so you can’t rotate them. The acquired company had a 90 day policy and your passwords could be pretty much whatever as long as they contained 1 number and were at least 6 characters.

      • #3142779


        by zlitocook ·

        In reply to I feel your pain

        The help desk calls have tripled.

        • #3164056

          They automated the

          by j.lupo ·

          In reply to Haha

          password feature with a web interface so that you can reset your own passwords if you forget them. However, every request goes through information security so if you are changing them too frequently…

        • #3163983

          One small problem …

          by the ref ·

          In reply to They automated the

          Support> “Welcome to support, how can I help you?”
          User > ” I cant log in”
          Support> ” Why cant you log in”
          User > ” I forgot my password”
          Support> ” well request a passwors change”
          User > ” thats what I want you to do”
          Support> ” you have to request a change through the web interface”
          User > ” How do I do that”
          Support> ” Just go to the Intranet and click New Passwword Request”
          User > ” How do I do that if I cant log in?”

        • #3163972

          I know

          by j.lupo ·

          In reply to One small problem …

          we were laughing over that too. However, their policy says that you can call if you can’t get into your ‘puter at all; otherwise use the website. I thought I mentioned we have lots of systems we log into not just the ‘puters

        • #3113327

          GINA replacement.

          by jeff.smith ·

          In reply to One small problem …

          There are replacements for GINA (the login process) that will automate password resets. Usually the user is required to answer a personalized question (What is your favorite color, pets name, mother’s maden name) and at least one other question like social security number, employee number.

    • #3269310

      One suggestion…

      by justin james ·

      In reply to Dumb idea

      … would be to ban the use of PostIt notes in your office, becuase I am sure that everyone in your company will be sticking their passwords to their monitors. All joking aside, that is the harvest you reap from a bad policy like that (I know that you didn’t write it, but you’re the one stuck cleaning up the mess). Show the “powers that be” some numbers about how password policies like that make your business LESS secure and cost them $$$ (constan calls to Help Desk for password reset) and you’ll hopefully be able to make some changes, plus make your value to the company clear.


      • #3270295


        by mjwx ·

        In reply to One suggestion…

        dont be daft man, the IT documentation system would fall apart. 🙂

    • #3270517

      Passwords are ultimately self-defeating and a dumb implementation

      by ivory ·

      In reply to Dumb idea

      Passwords have become far too prevelant. I needed to create a password just to post this reply. IT workers routinely have to deal with half a dozen passwords or more, sometimes with varying requirements. Who can remember the dozens or so passwords in the first place? Then we have to deal with changing our passwords. Ultimately, password enforcement leads people into doing whatever they can to simplify their lives which means either writing down passwords, or making all passwords the same, both of which completely defeat the purpose of the password to begin with.

      The concept of one password is a good concept. I’m not sure it will ever truly work unless we get personal encryption keys, but then we need to worry about losing, replacing, or dealing with the personal infringement of having them surgically attached to us like dog licenses are placed under their skin.

      Passwords are being used as a means of identification. The only thing worse than making us remember so many passwords, is the other stupid idea, using phone numbers to identify people.

      • #3142777

        They are looking at

        by zlitocook ·

        In reply to Passwords are ultimately self-defeating and a dumb implementation

        Using tokens for accessing computers. I told them that is a bad idea too. Because most people have trouble finding the alarm clock in the morning, let alone a little device that can be as small as a key. And if they come to work with out it they can not use their computers.

        • #3163975

          Not that bad

          by the ref ·

          In reply to They are looking at

          I use a token at work. If you forget it there is a series of questions you have preconfigured to get you access. This is a nuisance but very secure.

          The token will remember all your passwords (stored securly on the token) so you only need the token and one password.

        • #3112517

          No this is

          by zlitocook ·

          In reply to Not that bad

          A electronic token, it only works if your close to the computer. If you get up and walk away your computer locks and will not unlock untill you are close again. But you still need a password to use the computer.
          I can see some one using a icebox magnet to keep it close to the computer 🙂

        • #3112695

          USB Token

          by too old for it ·

          In reply to They are looking at

          Used to contract at a place that implemented a USB token. Plug it in, type in the number in the LCD screen, go to work.

        • #3112511

          Good idea and if its lost or stolen :p

          by deadly ernest ·

          In reply to USB Token

          oops, instant access.

      • #3110943

        Passwords are no-brainers!

        by tech_ed9 ·

        In reply to Passwords are ultimately self-defeating and a dumb implementation

        I can’t understand why people have such problems with passwords in a corporate environment!
        If people are calling the helpdesk and accessing websites and such for passwords, then the simple solution to this is some kind of password archive device.
        We use Aladdin’s etoken for this:
        It stores not only passwords to machine logins, but also logins to websites and personal certs (PFX files).
        My only gripe is that the memory is very small…I’ve already filled up mine, and have to delete unused passwords if I want to add more.
        But there are software based pass word archive applications that work with any USB drive…
        I don’t memorize any passwords except for the one password to my etoken…This password stuff shouldn’t be a problem…technology people…use it!

    • #3163984

      When non-techs run the network

      by jdclyde ·

      In reply to Dumb idea

      it will not run.

      You need to explain to these quite obviously thought challenged people the short-comings of frequent changes of passwords. There are many write ups all over the net that talk about what the end user will do in order to remember their passwords.

      Also, explain that they had better put another person full time on password reset duty, as they are going to be swamped. To protest this draconic rule, there are some that don’t even try to remember their password for more than a few days.

      I do not envy you. You have been put in a horrible position.

    • #3163863

      Just be creative

      by scifiman ·

      In reply to Dumb idea

      We do something similar and it isn’t that hard. You just have to explain to people that they have to be a bit more creative. The passwords can still be easy to remember.
      burger2go4bi!! (burger to go for bill)
      jadei$gr33nt00 (jade is green too)
      ….or whatever combo you want with symbol and number substitutions. And they have another 30 days to think up a new one that’s long but easy. You can include common words because they aren’t a singular password. Even something simple like ‘rust8steel’ is pretty strong within a 30 day window. So is “chocolatemakesmehappysoismile”

      • #3111396

        But why make it difficult?

        by itpro17 ·

        In reply to Just be creative

        Windows XP, and most OSs and databases, and most applications will accept pass phrases as well as words or combination words as you suggest. For instance ?Chocolate makes me happy so smile!? is perfectly acceptable and easier to remember. People who are good typists can do pass phrases such as ?Now is the time!? faster than most people looking over their shoulder could follow as well.

    • #3112697

      You’re right

      by joshua1 ·

      In reply to Dumb idea

      You are right on, unless you work at NASA or the NSA or something. In the end, remember that it’s probably better to work at a company that overvalues security than one that undervalues it! 🙂

      Ff security needs are so tight that you need 14 character strong pw on a 30 day rotation then it would seem like biometrics would be a consideration – ie, fingerprint readers.

      When people lock themselves out, be sure you document how you’ll reset passwords. If the company is that concerned, then another concern would be that User A calls in pretending to be User B and asks to have the password reset.

    • #3112615

      Stron passwords are good but 30 day change

      by deadly ernest ·

      In reply to Dumb idea

      is stupid. People are people and all this will do is encourage them to write it dwon, or use something that can be easily found in the personnel jacket, or be constantly ringing the help desk for resets.

      Some years back I worked on a military base and password policy changed from 6 monthly to monthly, result was that 90% of the pass wards became easily findable abusive phrases directed at the policy maker – bet you could guess what they were :p

      I know of one company did a similar thing, and within a few months everyone’s password was changing every 28 days regular as clock work. I laughed at the policy maker and showed them that all the people were doig was using the current astrological sign as their password, sure many used alpha- numeric replacements, but hey there are just so many of those; you know Aquar1us, Sc0rp10 type thing.

      With 14 characters you can get really imaginative like – 1T_1s_f0k_w1ts and similar type phrases, you watch they’ll happen. And the next months will be I7_i5_fuk_wi75

    • #3112575

      Password Reset – Sane approach

      by projectdoc ·

      In reply to Dumb idea

      Requiring password resets is a good security policy – but one that breaks down quickly if applied without considering the human factors. Setting the interval to 35 days would barely increase the risk associated with password sharing – but make it does make it possible for someone to mark their calendars on, say the 1st of the month and take care of this.

      Being consistent with the reset policy is also something that few enterprises seem capable of. Single sign-on, biometrics are even better (and more secure) – Implantable RF-ID tags anyone?

      Duff Bailey, Kensico Group, LLC

    • #3112557

      SecurID, one time use passwords much better

      by ~doolittle~ ·

      In reply to Dumb idea

      We use RSA SecurID tokens and most of the users prefer that over simple passwords once they have used the system. One-time use is literal, if you authenticate you have to wait for the code to change to log in again – which is essentially a new password.

      There are a very select few that are dead set against it, not sure why but it really is a much better authentication method IMO.

      • #3111867


        by allisenw ·

        In reply to SecurID, one time use passwords much better

        Those were nice, except in the off change your card became out of sync, lost, or battery died, and it always happened at night or while traveling. Then you were up a creek. Oh and some people really couldn’t type fast enough before the password changed on the screen. hehe

    • #3112555

      Password Policy

      by william.findlay ·

      In reply to Dumb idea

      Password policy is a must for almost any business nowadays and almost all (in my experience) have similar policies in place even to the point of a 30 day password expiry especially those that deal with sensitive data. The firm I work for has an almost identical policy to the one you’re describing, which whilst it ensures that a record of your movements can be traced by big bro it does also protect you as an employee. The point I’m trying to make is that there are ways around having to think up a new passwaord each month by setting a password with numbers at the end or in the middle or anywhere, which each month are incremented. The main body of the password remains the same and also continues to meet your firms password policy. This also avoids having to write down the password and/or forgetting it.
      Unfortunately, I have to change 4 different passwords each month but, have managed to get them pretty much in sync’ and committed to memory.

      If you need a password email me – one off special. 24 hour turnaround (this will allow for the time difference between receiving and thinking – I’m also in the UK).

    • #3112552


      by oz_media ·

      In reply to Dumb idea

      I always found it fun to use Post-it notes on all PC’s with full user names and passwords.

    • #3112528

      Password change a must

      by john freemont ·

      In reply to Dumb idea

      I agree that a 14 character password is getting a bit stringent but the argument people make that having strong password policies is negated by people using other methods to record passwords and making them simpler because of complexity to remember is a bit of a fallacy, they do it anyway no matter what the policy is. I currently work for an organisation that has no password policy outside of the fact that you need one 🙂 and people are still writing passwords down on post-its and making them simple eg: name of their cat but the organisation is now looking at bringing in a 90-day change policy for regular staff and 30-day policy for higher security users which is attracting the same sort of negativity. As far as I can see it is the only way of ensuring a password that may have made it in to the wild has a half-life of 90 days. At the moment, there is none.

      In my opinion there are better security methods than using user generated passwords these days (SecureID, biometric, token based) and these I am hoping will get explored further as a remedy to the password security vs usage dilemna.

      • #3113389

        Use Roboform?

        by wesb ·

        In reply to Password change a must

        I have found that using Roboform is a simple way of creating passwords to a fairly high level of security, I believe. The user needs to remember only a ‘master’ password, and Roboform will offer to generate a new password for any web form that you fill in. The free version allows up to 12 such passwords, while the registered version allows unlimited.

    • #3112512

      A high security alternative that I have seen

      by deadly ernest ·

      In reply to Dumb idea

      is for each memebr of staff to have a special password calculator with a fancy algorhythm in it, the think is preloaded with the program and time synced by wrieless on a regular basis. The user enters their logon ID and stores it, and they also enter their calculator password (which they change as they wish). After that everytime they logon they access their calculator and see what the fancy password for this 5 minute time slice is and enter that. The domain computer runs the ID and time through the same program and compares the answers. The device is waifer thin about 3″ x 4″ and goes in the same plastic holder as the staff photo ID which they we wear around their neck and is the same size.

      • #3112066


        by jamesrl ·

        In reply to A high security alternative that I have seen

        Have used that as well. The system I used had both the chnaging number and a 4 digit PIN that could be memorized. Worked pretty well.


        • #3110949

          Three elements to security

          by fred mars ·

          In reply to SecureID

          Security can consist of three different elements:
          what you know (ID, password, PIN, etc.)
          what you have (key, token, SecureID card, etc.)
          what you are (biometrics, etc.)

          Most places now only have “what you know” while a small number have two of the three. The best security should be having all three.

          30 day password changes seem very silly to me for the general user population. Most places should have more security for most users if the passwords change on a 6 month to 1 year cycle. Administrator level accounts I can see having on a 30 to 90 day cycle as they are more trouble if they get out.

    • #3110763

      Job Requirement:

      by mikael8tha ·

      In reply to Dumb idea

      You must be able to maintain your Network Password….oh yeah, it must be 256 characters long and include exactly 9 special characters, 9 numbers….

    • #3111979

      30 Days Is Harsh

      by rouschkateer ·

      In reply to Dumb idea

      That said, a very brief background: My company is a Nursing home. We have to adhere to HIPPA regulations. We force password changes every 90-ish days. You can’t repeat any of the last 24 passwords, must be at least 6 characters long, and have one special character and a number.

      Not too hard, right?

      So what is your company, and why the immensely inconvenient change?

      And if I find Post-It notes, I rip them up. If the user is there, even better. We DO NOT and CAN NOT tolerate password sharing, and the sheer stupidity of using Post-It Notes, or other little tricks, infuriates me.

      • #3111859

        Biometrics + Identity Management

        by rickharrison ·

        In reply to 30 Days Is Harsh

        Periodic changing of passwords is a necessary evil. Using biometric devices for authentication, in combination with some type of identity management, like Novell’s Identity Manager, eliminates many of the problems for the user (remembering complex passwords for multiple-platform applications, web, mainframe, network, etc.) and provides protection from hacking/cracking and brute force programs. USB fingerprint readers are available for $40-$60 which is very reasonable. Of course, most of the employees will want to use one particular finger to sign in…

        • #3113228

          biometrics not such a great idea…

          by Anonymous ·

          In reply to Biometrics + Identity Management

          Finger print scanners are worthless in dirty environments. I remember a bank tried to implemlent fingerprint scanners on ATM’s in a mining town. the scanners were always gummed up with dirt and coal dust, and most of the guys had no readable print anyway.

          Face and voice recongnition aren’t reliable enough. Retinal scannning is expensive, and doesn’t work on the blind or people with cataracts.

          And besides, I would much rather have someone hack my password, than hack off a limb or an eyeball, to break into my PC. (actually, virtually all current fingerprint devices can be fooled with a print lifter and gelatin).

    • #3111949

      phonetic for mneumonic

      by mindilator9 ·

      In reply to Dumb idea

      2600 mag had an article a couple issues ago on generating phonetic passwords. that is, a completely random jumble of letters that can be pronounced. the author provided a php script that i use often, it works great. you can customize it for your organization by adding numerals where you want from any range you want. you could even use a subset of your users’ social security number if you have it in a database. unfortunately hasn’t posted it, so i’ll just c/p it here for you. have fun

      And a usage example: include (“Phonic64.php”);
      $password = phonic_password($salt);
      // where salt is some random (or not) string

      you will get a different result each time you run the function.

      • #3113276

        Random pronounceable passwords

        by dbmarts ·

        In reply to phonetic for mneumonic

        Back in the ’70s, AT&T had a routine used by its AT&T Mail Service and included on its UNIX machines that generated 8-character random passwords that were nonsense but pronounceable, e.g. “podaluje”. You could memorize them by saying them to yourself half a dozen times. It worked so well that I still use four of them, with combinations of the usual variations like capitalizing the first or fourth syllable, replacing vowels with digits (o=0, i=1, e=3, etc.), or swapping the first four and last four characters. Thanks for posting a routine to reproduce that type of password!

    • #3111869

      Dumb Idea

      by crhead ·

      In reply to Dumb idea

      We also have the 35 day password changeout.. have found though a very quick and easy way to remember the password and works well.. all you need do is change the number you have entered and will be recognised as new password… only have to remember the main body of one entered.. quick easy and painless for us lower echelons of a computer network

    • #3111860

      Yes, it’s a dumb idea

      by rmrf ·

      In reply to Dumb idea

      This is one of the areas where security fails to take into account ROI. Password changes impair productivity if done too often, or if the required passwords are too complex to remember.

      The crucial question NOBODY seems to ask is this: How often are systems compromised because the passwords are not changed often enough? I know reliable data like this is hard to find, but in my experience, compromises are far and away caused by flawed software (buffer overflows and the like), misconfiguration (no password or default passwords), etc.

    • #3111768

      Do they plan on doubling their help desk staff too? n/t

      by nighthawk808 ·

      In reply to Dumb idea


    • #3111756

      DNA testing

      by zlitocook ·

      In reply to Dumb idea

      Seems to be the best way for security log on; so we all need to give a bit of our selfs for a secure network. We stop at a protal put our hands into a scanner and a needal inserts it self into our fingers. This will identify us to the company and let use in.

      • #3113406

        Points to ponder

        by jevans4949 ·

        In reply to DNA testing

        Wouldn’t work if you had identical twins …

        Saliva test would be easier – all you need is a picture of the company president.

    • #3111702

      Dumb and Dumbber

      by mejohnsn ·

      In reply to Dumb idea

      I know of a company that has an even dumber variation: require 30 day password change for Network password = Windows password, but change the rules for what is an acceptable password each time. Better yet, require different rules for the Oracle password, which also has to be changed every 30 days:-(

      • #3113403

        Problem with SecurID Tokens

        by james ·

        In reply to Dumb and Dumbber

        The problem I have found with SecurID tokens is where users store/leave them. They have a laptop, and look whats zip tied to the mouse/power cord. Yep the SecurID Token. That now leaves a four digit pin to guess/crack. Might as well just had a password to begin with.

    • #3113394

      Use Passphrases

      by jshenk ·

      In reply to Dumb idea

      A password length of 14 is almost enough to eliminate the weak Lan Manager passwords that can be cracked in minutes.

      Instead of idioticly complicated passwords, use a passphrase. Something like “My company is great, and uses long passwords.” meets all the requirements that you specified and it’s not to hard to remember. It also meet a requirement that you don’t (and should) have to avoid the lanman hash vulnerability.

      • #3113309

        With those types of password policies…

        by ts.atomic ·

        In reply to Use Passphrases

        …you’ll likely wind up with passwords based on the date they last changed their password, something like:


        with a post-it note reminder of “15-Jan-2006”, which will be the only portion of the password that ever changes. It’s 14+ chars long with two upper, two lower, two numbers and two special and they’ll never have the same thing twice -AND- it will be consistently formatted which makes guessing it much easier…

        Bleh! Rock & hard-place problems…

    • #3113386

      Dumb Question Time…

      by kurtofjankurt ·

      In reply to Dumb idea

      How much encryption is currently considered suficient to protect content (think password-manager software)? Can the recurring password-change problem be overcome by such software, or are there other security issues with this approach?

    • #3113379

      Password Vault

      by rreichma ·

      In reply to Dumb idea

      Well they could always implement some password vault software like my company has, in which we can keep all the various user names and PW’s that we have to use. The software encrypts the data and so the user has only one user name and PW which they can remember.

    • #3113355

      Clueless executives and managers

      by dr_zinj ·

      In reply to Dumb idea

      Password policies should be evidence-based.

      Is the system stand-alone, or internet linked? Long, complex, frequently changing passwords aren’t that necessary if you have 24/7 multiple security guards with computer nodes in locked windowless rooms in locked buildings behind razor-wire fences with intrusion detection and hidden claymore mines.

      How critical is the information on the systems?
      If the data or system isn’t a critical success factor for your organization, then strict security rules aren’t necessary. Of course that begs the question of why you have a computer system in the first place.

      Does the value of the information on the system decrease with time? If so, set up your security so that it’s not impossible to break into, just not possible to break into before the information is useless to the theives.

      What are the costs to the organization if the system is compromised? If it means that terrorists can spot times to blow up a nuclear power station without getting caught, then you need very secure password policies (along with other authentication measures). If it means that someone can walk off with patient health information, then it could cost the organization $100 to $25,000 to $50,000 or more. Then you have to balance the annual costs of resetting passwords with the cost if the information is improperly accessed.

      Put it in dollars and cents to the policy makers. At least that way you have a REASON for the policy, and not some knee-jerk idea pulled out of the fat man’s buttocks.

    • #3113176

      sounds like someone …

      by dlmeyer9 ·

      In reply to Dumb idea

      It certainly sounds like someone is a living example of “a little
      information is a dangerous thing”.

      First … if you need 14 characters, call it a “pass-phrase” rather
      than “pass-word”.

      Nothing wrong with a 14-character pass-phrase, with at least
      – LC
      – UC
      – SC
      – number
      Changing it every 30 days is a horrid idea. 90 days, maybe, a
      year, certainly, 30 days? A self-defeating joke. Strong passwords
      – and the ones described above are only moderately strong, but
      more easily remembered than randomly generated ones – are an
      excellent idea, the strict time limit encourages risky behavior
      that compromises the password and does little to make the
      systems more secure.

      Have they at LEAST thought of denying ROOT/ADMIN access to
      all but Sys Admin personnel – and insisted that even the SA’s use
      Admin accounts only for strict Admin purposes?

    • #3113168

      Now That Is A Really Dumb Idea

      by logos-systems ·

      In reply to Dumb idea

      Any company that has a 30 day password change policy, will also have a policy that will TERMINATE ANY EMPLOYEE who leaves an unsecured password laying around. Also companies that mandate such a password policy also will have a policy that will prevent you from re-using the password, say for 6 months or more. Most employees in such companies will re-use the same basic password and just change one or two characters in a set pattern.

    • #3111670

      On a sticker, under their keyboard

      by magictom ·

      In reply to Dumb idea

      I have done maintenance on PC and network in a large organisation for a while, and more than 70% of the users that have to change their password every so often are keeping their password written under their keybord on a piece of paper or on a sticker

    • #3111664

      The best idea

      by zlitocook ·

      In reply to Dumb idea

      Was use vary long passwords! I like the idea of people using a string of words, like ilikebigdogsatmyhouse or mysonisbetterthenyours. It is vary hard to crack and is a good way to remember passwords for everyone.

    • #3111416

      Password Requirements

      by chuckmba ·

      In reply to Dumb idea

      In my organization, we have a NetWare password, Windows/AD, Mainframe, Service Center, Cisco, PeopleSoft, and several others vendor related like AT&T and Verizon Business web pages. All of these have different requirements. Some are six characters and others are eight. Some are case sensitive and others not. Most are good for 45 days but one will not let you change it again for 5 days. Most save the last 8 passwords so you can’t repeat one that was used in the past year. One system requires that you change the password every 45 days but you can change it to the same password (in effect not changing it.) One of our oud mainframe systems required changing it every 30 days and could not have two like charters in a row. To solve my problem of remembering what I used in the past year, I store them in my palm device in a program called Smartlist To Go and it automaticly tells me when the password needs to be changed.

      To make sure no one hacks the system, accounts are disabled if the wrong password is entered three or six times. I guess the data security folks, feel someone could guess your password in 3 to 6 guesses. Theoretically, I think the odds would be against this happening.

Viewing 30 reply threads