International Change Your Password Day
-
New polcy at work. Bigass password using uppers and lowers and numbers and "special". Not and/or...and. And can't be one used during the the previous 24 passwords. And has to be changed every 90 days. (That's what? 6 years?) I think the not-used-before nonsense came from secure commo. The bad guys could/would save all the datastreams you transmitted and bounce them against any passwords they captured or broke, hoping one would match eventually. (That's why old keys were a much bigger deal to lose than new ones.) However, I don't think any hackers out there are packet-capturing and saving forever in hopes we reuse a password someday. Certainly not on our freaking intranet. ;P
No dogs or cats are in the classroom. My Mu[sic] My Films My Windows Programs, etc.
GenJerDan wrote:
And can't be one used during the the previous 24 passwords. And has to be changed every 90 days. (That's what? 6 years?)
Just change your password 24 times in a row:
Password^1
Password^2
Password^3
...
Password^24
RealPassword$1:rolleyes:
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
Every frigging month is "International Change Your Password Day" at the office.
Watched code never compiles.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
Henry Minute wrote:
Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
I suspect that the villain, in this case, is the parenthetical latter case. I change my password in time with the national campaign to change the batteries in the household smoke detectors, held every November here in the Colonies. Since my smoke detectors are old and have no batteries, I don't change my passwords either. When I attended the launch event for Windows 2000 in Phoenix, one of the presenters who was responsible for the built-in security in the product recommended using something odd, but simple, and sticking to it. His was, "cantremember." Mine isn't that simple, but it's based on something very rare these days, plus a couple of modifiers for sites that have peculiar rules; very few people would think of trying the particular combination of characters that I use, though I find them very easy to remember. Changing it would be a major inconvenience, and might be expensive if I couldn't remember the password for various financial sites. I'm not inclined to do so, despite the risks.
Will Rogers never met me.
-
Naerling wrote:
Highest levels of management probably have their childrens name for passwords and never change them..
Not where I work. They use the same policy as everyone else. Passwords are required to be changed often and they are validated to be strong passwords.
Naerling wrote:
I just don't see the need to have a new password every two months. It's not like people are constantly trying to hack your every account (this may have sounded like an invitation, it's not!).
Err...yes they are. My company tracks penetration attempts and the trivial ones are in the tens if not hundreds every day.
Naerling wrote:
And doesn't it take something like a billion years to crack one?
Huh? A standard dictionary attack with weak password on an unsecured system can crack an account in probably a matter of minutes.
Naerling wrote:
I don't have anything to hide.
What does that have to do with anything?
jschell wrote:
Huh? A standard dictionary attack with weak password on an unsecured system can crack an account in probably a matter of minutes.
Was thinking of something else here... Anyway, if a hacker wanted to gain access to my email or computer or whatever and they could crack my password in mere minutes (and even mere hours wouldn't be a problem since I'm not changing my password for at least a couple of days) then what good does it do if I change it after two months? Either I DO notice they cracked my password and change it to something else immediatly (and they could probably crack it again pretty soon) or I don't notice they've cracked it and they got free access until I change my password and they'll have to crack it again (which only takes some minutes/hours). Anyway, once they've got my password and plant some malicious software on my machine changing passwords won't even help me anymore. I think if a hacker really wanted access to my system a password ain't gonna help, at least not a lot. I see a password more as a means to keep non-hackers out of my accounts.
jschell wrote:
What does that have to do with anything?
If I were the queen, president, prime-minister or some rich billionaire I could see why hackers would try to hack me. I'm just a dull average person, nothing to see here move along :) Of course I'm no security specialist, but having the same password for many years for each account does make life easier and if my password was retreived only twice in all my life (still can't figure out how or why) and that doesn't even have to do with changing it regularly then I just keep on keeping the same old password until someone finds out what it is again (which can still take many years) :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
New polcy at work. Bigass password using uppers and lowers and numbers and "special". Not and/or...and. And can't be one used during the the previous 24 passwords. And has to be changed every 90 days. (That's what? 6 years?) I think the not-used-before nonsense came from secure commo. The bad guys could/would save all the datastreams you transmitted and bounce them against any passwords they captured or broke, hoping one would match eventually. (That's why old keys were a much bigger deal to lose than new ones.) However, I don't think any hackers out there are packet-capturing and saving forever in hopes we reuse a password someday. Certainly not on our freaking intranet. ;P
No dogs or cats are in the classroom. My Mu[sic] My Films My Windows Programs, etc.
So you now got memo's with people's passwords who can't remember them all around the office? :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
How true!
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
Henry Minute wrote:
making sure that the highest levels of management knew why
Highest levels of management probably have their childrens name for passwords and never change them... I don't even think they'd know what you're talking about :laugh: I just don't see the need to have a new password every two months. It's not like people are constantly trying to hack your every account (this may have sounded like an invitation, it's not!). It's just very inconvenient for me, remembering all those passwords (and I have forgotten a few)... Besides, what could evil-doers do with my old password that they couldn't do with my new one? And doesn't it take something like a billion years to crack one? My guess is that if hackers get my password they don't need two months to get it and so if they do I'm always to late with changing it, wether I change it once a year or once a month... Guess I'm just not very paranoid or I don't have anything to hide. I must say someone gained access to my MSN account and to my World of Warcraft account once (two seperate incidents with I think very different passwords). Very nasty business. Changed my password after both incidents. In case of WoW I had my account about three months and I'm very sure changing my password after two months wouldn't have made a difference. I installed a keyscrambler after that :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}Naerling wrote:
I just don't see the need to have a new password every two months.
For your private (i.e. domestic) logins, your choice. For work related matters if the company has a policy for these sort of things then conformance is probably part of your contract of employment. Stamping your foot and screaming "shan't" or even holding your breath until you turn blue just don't cut it. :) The fact that you don't see the need has no bearing whatever. There are in all probability many company policies that you don't see the need for but the fact remains that it ain't up to you. As I said before, if I was the admin you'd be gone.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
Naerling wrote:
I just don't see the need to have a new password every two months.
For your private (i.e. domestic) logins, your choice. For work related matters if the company has a policy for these sort of things then conformance is probably part of your contract of employment. Stamping your foot and screaming "shan't" or even holding your breath until you turn blue just don't cut it. :) The fact that you don't see the need has no bearing whatever. There are in all probability many company policies that you don't see the need for but the fact remains that it ain't up to you. As I said before, if I was the admin you'd be gone.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
You're absolutely right. The boss makes the rules, but who am I to not question them? ;) In this case I was completely surprised by the fact that I had to change my password, no one told me and it was a new policy. So I went to my boss and told him what I told you, that I'd have to write it down which is even more unsecure. Besides we're a small company with only three or four employees at the time in a small village with no competition. Changing passwords every two months is just a pain in the arse and my boss agreed rather quickly. At a bigger company I would probably abide by the rules (although not before raising some hell about it, and only if I didn't agree to it earlier of course). I don't simply do anything because someone tells me to, even if it's my boss. I'm not all bad though. If I see something in the company or our product could be improved I come up with idea's and share them with my employer who can then take action or not (and my input is appreciated, since I do have good idea's at times). So the whole smartass attitude goes go two ways, sometimes in favour, and sometimes not in favour, for my employers (in contrast to colleagues who 'just' do their work) :) You wouldn't want only employees like me, but I think every company needs a few ;)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
You're absolutely right. The boss makes the rules, but who am I to not question them? ;) In this case I was completely surprised by the fact that I had to change my password, no one told me and it was a new policy. So I went to my boss and told him what I told you, that I'd have to write it down which is even more unsecure. Besides we're a small company with only three or four employees at the time in a small village with no competition. Changing passwords every two months is just a pain in the arse and my boss agreed rather quickly. At a bigger company I would probably abide by the rules (although not before raising some hell about it, and only if I didn't agree to it earlier of course). I don't simply do anything because someone tells me to, even if it's my boss. I'm not all bad though. If I see something in the company or our product could be improved I come up with idea's and share them with my employer who can then take action or not (and my input is appreciated, since I do have good idea's at times). So the whole smartass attitude goes go two ways, sometimes in favour, and sometimes not in favour, for my employers (in contrast to colleagues who 'just' do their work) :) You wouldn't want only employees like me, but I think every company needs a few ;)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}Wow, I'm speechless. I hope you're proud of the fact that this childish attitude has probably made your company fail to comply with data protection law in the country you are based in. Which rock have you been hiding to be so unaware of security issues over the last few years? I'm with Henry here, with that attitude, either you'd go or me. If it was me, I'd then sue for constructive dismissal.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
I would have thought that having a specific day for everyone to change their passwords would be more of a security risk. Surely the chance of any given password being being intercepted and / or hacked is higher if the probability of any given data transfer being a password is above average?
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
GenJerDan wrote:
And can't be one used during the the previous 24 passwords. And has to be changed every 90 days. (That's what? 6 years?)
Just change your password 24 times in a row:
Password^1
Password^2
Password^3
...
Password^24
RealPassword$1:rolleyes:
On top of the above rules, our SAP system also requires that a new password is signifcantly different from all the previous ones. Of course, after three failed tries on logging in you're locked out as well, so the whole pain you're going through to create the illusion of a strong password is totally in vain... X|
-
Note to self: monitor HTTP and SMTP traffic on February 1st to gather lots and lots of new passwords.
I've considered that too: hackers would rejoice and focus their efforts on that particular day - no better cance to get some real valuable data, and it likely won't be changed for a year! Now they can even put a 'best before end' stamp on it before selling them! At least in theory - I have no idea if hackers could really gain a benefit from such knowledge, but I suspect on certain types of password systems it might in fact be possible. For that reason alone the idea sounds flawed.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
I'd prefer a ICYPSD - 'international change your password system day'. Current password systems are so flawed, it's not funny anymore. All they achive is make it harder for users to remember their passwords, and easier for computers to guess, because they (the PW systems) effectively force them (i. e. the users) to either write them (the passwords) down, or choose ones that can be easily broken, or both. To add insult to injury, many of those stupid systems not only force you to repeatedly choose new, difficult to remember passwords, but they'll also lock you out after three unsuccessful tries. Why do we have to jump through hoops in an effort to create the illusion* of a safe password, when no password cracking system ever gets a reasonable chance to try them out? Even if a hacker considered trying to log into a million accounts, it shouldn't take more than a few hundred failed tries for the system to realize there is something seriously amiss. It definitely should not require any of those other stupid enforced rules, except PW length. *: Why I said 'illusion': http://xkcd.com/936/[^]
-
what's a password?
"People who bite the hand that feeds them usually lick the boot that kicks them." Eric Hoffer "The failure mode of 'clever' is 'asshole'" John Scalzi "Only buzzards feed on their friends" Patrick Dorinson
-
I've considered that too: hackers would rejoice and focus their efforts on that particular day - no better cance to get some real valuable data, and it likely won't be changed for a year! Now they can even put a 'best before end' stamp on it before selling them! At least in theory - I have no idea if hackers could really gain a benefit from such knowledge, but I suspect on certain types of password systems it might in fact be possible. For that reason alone the idea sounds flawed.
If you put onerous password requirements on people, you'll just increase the incidence of people simply writing them down. Users that have trouble typing normal text aren't going to be keen to have to type in some long bit of gibberish every time they have to login.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
Using the same password is OK until you go to one of those stupid blog sites that require you to use your FaceBook / OpenID / LiveID / GoogleMail credentials just to make a comment when you have no idea how secure the site is. I thought that I was fairly safe until the day I got an email that was addressed to 'Dear ********' (where ******** was the password that I had used all over the place). If you're going to skim passwords and send phishing letters, you could at least have the sense to not use the password as the recipient's name - that is a dead giveaway. Besides, when company's insist on complicated passwords (e.g. at least one capital letter, one lowercase letter, one digit, one 'special char), what do people do? They capitalise the first letter and append 1! to the end. No more secure than before. We have an application that decided to double the password length. What did everyone do? Wrote the old password twice (except for one person who had a 1/2 length password that he was already writing twice - he just wrote that 4 times). And when passwords expire at different frequencies, you dedicate one day every min password change frequency to update the lot. And if this is monthly, you can virtually guarantee that the month will be encoded in the password somewhere. Why do we still have passwords? They were debunked in the 1960s as insecure. They are no better than the old miltary "Halt! Who goes there? Friend or Foe?" as long as you answer "Friend" you are in.
-
Henry Minute wrote:
What do you think?
I think it should be Feb. 29th. ;) Marc
My Blog
An Agile walk on the wild side with Relationship Oriented Programming
Melody's Amazon Herb SiteMarc Clifton wrote:
I think it should be Feb. 29th
Agreed - but only on century years (so, after 2000, the next password change day will be Feb 29th 2400). This will give me enough time to memorise my password and to get it right before it needs changing again.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
on a daily basis it will exercise your brain's right hemisphere
--------- Antonio
