Your password expires in 25 days...
-
... would you like to change it immediately [yes][no] ? :omg: What a silly reminder ?! Why would I want to change my password if I can still keep it 25 days ? This means to me that my password already expired, I don't want to get reminded every day that my password is going to expire soon. Stupid IT policies... X|
I'm waiting for Windows Feng Shui, where you have to re-arrange your icons in a manner which best enables your application to run. Richard Jones www.immo-brasseurs.com
I am often left wondering why passwords have to be changed at all. I can't see how it provides additional security... the best answer I could find was that a back of the envelope calculation back in the 60s showed that a brute force attack would crack a password within 30 days (OK missing details here, couldn't find the details through Google...). It would appear that this is a, "Well, we've always done it like this," policy.
Vincent www.pub-olympics.com
-
When my company started crap like that I put my password on a index card on my desk. There is no way I can change my password every 30 days. Don't they know I have 100 other Internet accounts? [EDIT]On top of that the password change worked only 30% of the time. The other 70% rendered users locked out of the system because of the 5 bad password rule. [/EDIT]
John
-
I am often left wondering why passwords have to be changed at all. I can't see how it provides additional security... the best answer I could find was that a back of the envelope calculation back in the 60s showed that a brute force attack would crack a password within 30 days (OK missing details here, couldn't find the details through Google...). It would appear that this is a, "Well, we've always done it like this," policy.
Vincent www.pub-olympics.com
Vincent Curry wrote:
why passwords have to be changed at all
The simple explanation given to me (by our system admin) for this is: Suppose Mr.Z who is an ex-employee, knows Mr.Y's password and can use Mr.Y's user name and password and can hack into his account. But if passwords are changed regularly, the possibility of user account is very less. :-)
-
Vincent Curry wrote:
why passwords have to be changed at all
The simple explanation given to me (by our system admin) for this is: Suppose Mr.Z who is an ex-employee, knows Mr.Y's password and can use Mr.Y's user name and password and can hack into his account. But if passwords are changed regularly, the possibility of user account is very less. :-)
Well... firstly Mr. Y shouldn't have given Mr. Z his password in the first place. And if he did - then Mr. Z should change it straight away. Even if he has to change it regularly, then Mr. Z would have several days to access Mr. Y's account anyway! And... what's the betting that the change is simply incrementing a number by 1? PS - should have been clearer in my initial post that it was why passwords need to be changed on a regular basis... you would certainly need to change them if someone figured yours out!!!
Vincent www.pub-olympics.com
-
When my company started crap like that I put my password on a index card on my desk. There is no way I can change my password every 30 days. Don't they know I have 100 other Internet accounts? [EDIT]On top of that the password change worked only 30% of the time. The other 70% rendered users locked out of the system because of the 5 bad password rule. [/EDIT]
John
John M. Drescher wrote:
When my company started crap like that I put my password on a index card on my desk.
why? in my last job IT claimed passwords should be unique every time you change it. Huh, unique? we use to change only last digit first set password to MyPa$$w0rd_01, next month MyPa$$w0rd_02, _03, _04...... Unique, huh ;P Disclaimer: Not real password, use it at your own risk.
Yusuf
-
John M. Drescher wrote:
When my company started crap like that I put my password on a index card on my desk.
why? in my last job IT claimed passwords should be unique every time you change it. Huh, unique? we use to change only last digit first set password to MyPa$$w0rd_01, next month MyPa$$w0rd_02, _03, _04...... Unique, huh ;P Disclaimer: Not real password, use it at your own risk.
Yusuf
They made adding #s more difficult and you only get 5 wrong answers before having to phone the help desk. Now they stopped doing that but they require a more difficult password, at least we do not have to change it..
John
-
Well... firstly Mr. Y shouldn't have given Mr. Z his password in the first place. And if he did - then Mr. Z should change it straight away. Even if he has to change it regularly, then Mr. Z would have several days to access Mr. Y's account anyway! And... what's the betting that the change is simply incrementing a number by 1? PS - should have been clearer in my initial post that it was why passwords need to be changed on a regular basis... you would certainly need to change them if someone figured yours out!!!
Vincent www.pub-olympics.com
Vincent Curry wrote:
And... what's the betting that the change is simply incrementing a number by 1?
Store the PW encrypted instead of hashed. Spotting that sort of cheating becomes trivial. Close one vulnerability, open a second....
Today's lesson is brought to you by the word "niggardly". Remember kids, don't attribute to racism what can be explained by Scandinavian language roots. -- Robert Royall
-
Vincent Curry wrote:
And... what's the betting that the change is simply incrementing a number by 1?
Store the PW encrypted instead of hashed. Spotting that sort of cheating becomes trivial. Close one vulnerability, open a second....
Today's lesson is brought to you by the word "niggardly". Remember kids, don't attribute to racism what can be explained by Scandinavian language roots. -- Robert Royall
So... I guess you could have a password policy which says you're not allowed to increment your password by 1 every time... though that wouldn't consider the problems of the ex-employee being able to use the account for a few days anyway. [EDIT] Correcting the you're. I'm off to commit Seppuku[^]
Vincent www.pub-olympics.com
modified on Friday, January 16, 2009 5:43 AM
-
It reminds me of an old army rule, Never Be Late, Never Be Nearly Late! Nearly Late == On Time. :confused:
------------------------------------ "The greatest tragedy in mankind's entire history may be the hijacking of morality by religion" Arthur C Clarke
My rule is: "If I'm not early, I'm late."
-
... would you like to change it immediately [yes][no] ? :omg: What a silly reminder ?! Why would I want to change my password if I can still keep it 25 days ? This means to me that my password already expired, I don't want to get reminded every day that my password is going to expire soon. Stupid IT policies... X|
I'm waiting for Windows Feng Shui, where you have to re-arrange your icons in a manner which best enables your application to run. Richard Jones www.immo-brasseurs.com
A 25 day timer's nuts. But I strongly prefer advance notice so I can generate a new strong PW that is easily memorable over having to do something on the spot. Especially given the number of non LDAP logins I have to deal with, being able to plan when to spend 20 minutes doing a mass password change is so much more convenient.
Today's lesson is brought to you by the word "niggardly". Remember kids, don't attribute to racism what can be explained by Scandinavian language roots. -- Robert Royall
-
So... I guess you could have a password policy which says you're not allowed to increment your password by 1 every time... though that wouldn't consider the problems of the ex-employee being able to use the account for a few days anyway. [EDIT] Correcting the you're. I'm off to commit Seppuku[^]
Vincent www.pub-olympics.com
modified on Friday, January 16, 2009 5:43 AM
Vincent Curry wrote:
you could have a password policy which says your not allowed to increment your password by 1
It is too bad but in our organization we have such a password policy because most of the user just increase their password by 1. e.g. test1,test2,test3....
-
I am often left wondering why passwords have to be changed at all. I can't see how it provides additional security... the best answer I could find was that a back of the envelope calculation back in the 60s showed that a brute force attack would crack a password within 30 days (OK missing details here, couldn't find the details through Google...). It would appear that this is a, "Well, we've always done it like this," policy.
Vincent www.pub-olympics.com
Forcing a regular password change on a regular basis is to deal with a situation in which your password has been obtained and is being used, but you are *not* aware of the use. Eventually when you are prompted to change and you do so, the old one will no longer work. Now depending upon how the original password was obtained, your new one may or may not be available. I'm not a big fan on the regular password change idea though. To me it's analagous to having your locks changed every month or quarter. I don't know of a single person who does that. :)
Chris Meech I am Canadian. [heard in a local bar] In theory there is no difference between theory and practice. In practice there is. [Yogi Berra]
-
Vincent Curry wrote:
you could have a password policy which says your not allowed to increment your password by 1
It is too bad but in our organization we have such a password policy because most of the user just increase their password by 1. e.g. test1,test2,test3....
I've no idea if mine does that. A series of my passwords look like gooblygook to any human or machine that's not aware of my keying system and the seeds I use to initialize it. With that information however they're easy to remember and several can be generated in sequence such that knowing the current one will serve a mmemonic to recall the old one.
Today's lesson is brought to you by the word "niggardly". Remember kids, don't attribute to racism what can be explained by Scandinavian language roots. -- Robert Royall