International Change Your Password Day
-
GenJerDan wrote:
And can't be one used during the the previous 24 passwords. And has to be changed every 90 days. (That's what? 6 years?)
Just change your password 24 times in a row:
Password^1
Password^2
Password^3
...
Password^24
RealPassword$1:rolleyes:
On top of the above rules, our SAP system also requires that a new password is signifcantly different from all the previous ones. Of course, after three failed tries on logging in you're locked out as well, so the whole pain you're going through to create the illusion of a strong password is totally in vain... X|
-
Note to self: monitor HTTP and SMTP traffic on February 1st to gather lots and lots of new passwords.
I've considered that too: hackers would rejoice and focus their efforts on that particular day - no better cance to get some real valuable data, and it likely won't be changed for a year! Now they can even put a 'best before end' stamp on it before selling them! At least in theory - I have no idea if hackers could really gain a benefit from such knowledge, but I suspect on certain types of password systems it might in fact be possible. For that reason alone the idea sounds flawed.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
I'd prefer a ICYPSD - 'international change your password system day'. Current password systems are so flawed, it's not funny anymore. All they achive is make it harder for users to remember their passwords, and easier for computers to guess, because they (the PW systems) effectively force them (i. e. the users) to either write them (the passwords) down, or choose ones that can be easily broken, or both. To add insult to injury, many of those stupid systems not only force you to repeatedly choose new, difficult to remember passwords, but they'll also lock you out after three unsuccessful tries. Why do we have to jump through hoops in an effort to create the illusion* of a safe password, when no password cracking system ever gets a reasonable chance to try them out? Even if a hacker considered trying to log into a million accounts, it shouldn't take more than a few hundred failed tries for the system to realize there is something seriously amiss. It definitely should not require any of those other stupid enforced rules, except PW length. *: Why I said 'illusion': http://xkcd.com/936/[^]
-
what's a password?
"People who bite the hand that feeds them usually lick the boot that kicks them." Eric Hoffer "The failure mode of 'clever' is 'asshole'" John Scalzi "Only buzzards feed on their friends" Patrick Dorinson
-
I've considered that too: hackers would rejoice and focus their efforts on that particular day - no better cance to get some real valuable data, and it likely won't be changed for a year! Now they can even put a 'best before end' stamp on it before selling them! At least in theory - I have no idea if hackers could really gain a benefit from such knowledge, but I suspect on certain types of password systems it might in fact be possible. For that reason alone the idea sounds flawed.
If you put onerous password requirements on people, you'll just increase the incidence of people simply writing them down. Users that have trouble typing normal text aren't going to be keen to have to type in some long bit of gibberish every time they have to login.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
Using the same password is OK until you go to one of those stupid blog sites that require you to use your FaceBook / OpenID / LiveID / GoogleMail credentials just to make a comment when you have no idea how secure the site is. I thought that I was fairly safe until the day I got an email that was addressed to 'Dear ********' (where ******** was the password that I had used all over the place). If you're going to skim passwords and send phishing letters, you could at least have the sense to not use the password as the recipient's name - that is a dead giveaway. Besides, when company's insist on complicated passwords (e.g. at least one capital letter, one lowercase letter, one digit, one 'special char), what do people do? They capitalise the first letter and append 1! to the end. No more secure than before. We have an application that decided to double the password length. What did everyone do? Wrote the old password twice (except for one person who had a 1/2 length password that he was already writing twice - he just wrote that 4 times). And when passwords expire at different frequencies, you dedicate one day every min password change frequency to update the lot. And if this is monthly, you can virtually guarantee that the month will be encoded in the password somewhere. Why do we still have passwords? They were debunked in the 1960s as insecure. They are no better than the old miltary "Halt! Who goes there? Friend or Foe?" as long as you answer "Friend" you are in.
-
Henry Minute wrote:
What do you think?
I think it should be Feb. 29th. ;) Marc
My Blog
An Agile walk on the wild side with Relationship Oriented Programming
Melody's Amazon Herb SiteMarc Clifton wrote:
I think it should be Feb. 29th
Agreed - but only on century years (so, after 2000, the next password change day will be Feb 29th 2400). This will give me enough time to memorise my password and to get it right before it needs changing again.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
on a daily basis it will exercise your brain's right hemisphere
--------- Antonio
-
So you now got memo's with people's passwords who can't remember them all around the office? :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}In a slight irony, I had to change my password through the "lost password" procedure to login and post this (long time lurker). The problem with not changing your password, and having the same password (or two) in most places is profound. For example - if you had the same password for WoW and your online banking, I am sure even you can see how it would be an issue. That is just an obvious example. You use the fact that a simple dictionary password can be cracked in minutes as an excuse to not change it. You should have quite complex passwords that would in fact take months if not years to crack. The problem with this, of course, is that it is inconvenient. I would argue that there are fairly simple ways to create complex, yet memorable passwords. One I prefer is to take simple 3 word phrases (such as Crick Crack Monkey), and using letters from these words, interspaced with numbers and/or special characters, depending on the length and complexity requirements of the system. For example, Cr1Cr2Mo3 is one example, or Cr!1Cr@2Mo as another. All one has to do is remember the basic formula, and the three word phrase. Of course using a formula reduces the word-space the cracker has to search, but it is better than whole or half words or names typically used. Another advantage is that you can use the source of your phrase as your password reminder (for my Crick Crack Monkey example it would be Paul Keanes Douglas - the author of the poem). For a Beatles song such as "Every Little Things", the clue could be "Six Beatles for Sale" (the album the song came on, and track number). Now having said all this, I believe that passwords are still inadequate and inconvenient. We need a stronger, two way security system. Google's new challenge and answer system goes a long way towards this. Their system has a password, and then sends another token to you (via cellphone), which you must key in. Face recognition is also improving (and can be used on some phones). Things are also moving to single-sign-in, so you can connect to many other sites using either your facebook, twitter or google (or other) accounts. This is either more secure (if you use a strong password and secure system), because you will take the trouble to maintain a good password, or far far less - if you use a crummy password on your primary login.
-
I can barely remember my one password with about three flavours that I use for about every account I have anywhere... I'm actually trying to change any password that doesn't match my most used one to my most used one so I don't need 10 login attempts to log in. First thing I did when company policy forced me to change my password was raise some hell, because getting a new password creates the need to write it down which is much less secure than keeping the same password for just a bit longer. I got to keep my password :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}That's why I put all my passwords into my Gateway 2000 programmable keyboard ;P While that might not sound secure, each key can have ALT-CTRL-SHIFT prefixes, so you'd have to figure out which keys to press before you lock yourself out from the account. Not as easy as WarGames' printed list hidden somewhere or the password on the blackboard at school. But admittedly not too far behind. But the ultimate advantage is that I don't have to remember the passwords at all. :laugh:
Psychosis at 10 Film at 11 Those who do not remember the past, are doomed to repeat it. Those who do not remember the past, cannot build upon it.
-
Naerling wrote:
I got to keep my password
You wouldn't have if you worked anywhere that I was Systems Admin. If you point blank refused, either you'd have to go, or I would voluntarily go, making sure that the highest levels of management knew why. Sorry, but in this case it ain't big and it certainly ain't clever.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
Changing your password without a good reason is a mindless practice that has been passed down long ago and is no longer valid. It used to be that a hacker could download a password file and take days to decrypt it. If you changed your password during that time, you would have saved yourself some distress, but only if you changed it during that time, a window of a now unlikely opportunity that has gotten so small that regularly changing your password no longer helps that situation. Another reason to change your password is if you have given it to anyone or suspect that someone has read the note that you had to put it on, because some smart system admin has made unreasonable rules that you can't follow without writing it down. In that case, you should change your password right away, not wait for the scheduled time period to do it. There are only two rules that really apply to users these days: 1. Don't give it to anyone. 2. Make it a long multiple word phrase (more than 20 characters) that is easy for you to remember. And there are two rules for system administrators: 1. Never store the password in clear text or transmit it over email. 2. Allow long passwords and don't force arbitrary rules and restrictions about it.
-
:-D
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
you're going to love this..... where i work, every password is the same, all remote access to our clients, all admin accounts everything, and its an easy password. despite objections, pleas to change it, begging for a certificate it all got turned down. why do you ask? the owner does not want to have to worry about remembering passwords. and it gets better, they share that info with the clients, so one client can log into another client if they know the ip (not hard to figure out) and there is one recent case of one client stealing anothers data, and they cannot figure out how
-
If you put onerous password requirements on people, you'll just increase the incidence of people simply writing them down. Users that have trouble typing normal text aren't going to be keen to have to type in some long bit of gibberish every time they have to login.
The sad thing is, onerous password requirements not only led me to write down those particular passwords, but also to make a habit out of it for even those that I think I could (and should) easily memorize. Overall I'm afraid my password security standards severely deteriated because of that... :sigh:
-
Naerling wrote:
Highest levels of management probably have their childrens name for passwords and never change them..
Not where I work. They use the same policy as everyone else. Passwords are required to be changed often and they are validated to be strong passwords.
Naerling wrote:
I just don't see the need to have a new password every two months. It's not like people are constantly trying to hack your every account (this may have sounded like an invitation, it's not!).
Err...yes they are. My company tracks penetration attempts and the trivial ones are in the tens if not hundreds every day.
Naerling wrote:
And doesn't it take something like a billion years to crack one?
Huh? A standard dictionary attack with weak password on an unsecured system can crack an account in probably a matter of minutes.
Naerling wrote:
I don't have anything to hide.
What does that have to do with anything?
jschell wrote:
required to be changed often
This is about the most stupid thing a password system can do. What is it meant to achieve? If someone hacks your PW, he won't put it aside for a couple of days, let alone a month or more. And, hopefully, you'll notice it when the damage is done long before that one- or three-month period is over. If not, by the time you do your scheduled PW change, there's nothing left to bother securing. I don't know where the notion comes from that a password is more secure when it gets changed often. The only thing it really achieves is p****ing off users, and causing them to use easy to remember passwords, that are in turn rated 'weak' (but see below)
jschell wrote:
they are validated to be strong passwords
The problem with so called 'strong passwords' is that they are a misnomer, and in fact quite weak when you consider what they're set against: a hacker's powerful computer and clever algorithms built around exactly the same rules that PW strength checkers use, and humans' tendency to put as little effort as possible into following those rules. As a result, passwords generated under enforced PW strength rules (such as 'must have at least one special character') are hard to remember by humans but still easy to guess by computers.
-
Changing your password without a good reason is a mindless practice that has been passed down long ago and is no longer valid. It used to be that a hacker could download a password file and take days to decrypt it. If you changed your password during that time, you would have saved yourself some distress, but only if you changed it during that time, a window of a now unlikely opportunity that has gotten so small that regularly changing your password no longer helps that situation. Another reason to change your password is if you have given it to anyone or suspect that someone has read the note that you had to put it on, because some smart system admin has made unreasonable rules that you can't follow without writing it down. In that case, you should change your password right away, not wait for the scheduled time period to do it. There are only two rules that really apply to users these days: 1. Don't give it to anyone. 2. Make it a long multiple word phrase (more than 20 characters) that is easy for you to remember. And there are two rules for system administrators: 1. Never store the password in clear text or transmit it over email. 2. Allow long passwords and don't force arbitrary rules and restrictions about it.
I agree almost entirely with your comments about passwords. That was not where my problem with Naerling lay. Regardless of the pro's and con's of a company policy you comply with them. Only then do you institute whatever appropriate procedures there are to get them changed. You do not refuse to carry them out (unless someone will die or be seriously injured if you do). As I said earlier, if you did that anywhere I had authority, you would be on very dangerous ground.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
you're going to love this..... where i work, every password is the same, all remote access to our clients, all admin accounts everything, and its an easy password. despite objections, pleas to change it, begging for a certificate it all got turned down. why do you ask? the owner does not want to have to worry about remembering passwords. and it gets better, they share that info with the clients, so one client can log into another client if they know the ip (not hard to figure out) and there is one recent case of one client stealing anothers data, and they cannot figure out how
chodi wrote:
there is one recent case of one client stealing anothers data, and they cannot figure out how
And if you tell them how I did it, I'll send the boys round! Bwahahahahahahahaha!
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
Wow, I'm speechless. I hope you're proud of the fact that this childish attitude has probably made your company fail to comply with data protection law in the country you are based in. Which rock have you been hiding to be so unaware of security issues over the last few years? I'm with Henry here, with that attitude, either you'd go or me. If it was me, I'd then sue for constructive dismissal.
Rob Grainger wrote:
data protection law in the country you are based in
I don't think there is a law about how much you have to change you password :doh: If there was my boss would be a fool to comply with my 'demands' for keeping my old password.
Rob Grainger wrote:
Which rock have you been hiding to be so unaware of security issues over the last few years?
As far as I know none of those issues were about people that did not change their passwords... It was about passwords (no matter how often they were changed) that were stored unencrypted, were sent over an unsecured line, were shared with other people etc.
Rob Grainger wrote:
I'd then sue for constructive dismissal
Are you an American? GTA4 had a great joke about it on the radio "sue anyone for anything and you'll probably win!" Anyway, there was no need to sue me since I was on a six month contract and it would've ended pretty soon. There wasn't any money or honour to be made from sueing me either. Besides the fact that I sometimes disagree with people I did my job pretty well. Really, if my boss thought it absolutely necessary to change my password he would've said something like "Naerling (ok, he'd use my real name), I sense some frustration, but this is really for the best... Trust me ;)" And since my boss has a way with people I'd probably calm down a bit, say "ok" and leave the room disgruntled.
Rob Grainger wrote:
this childish attitude
My 'childish' attitude has been asked for, appreciated and rewarded quite a few times in the last year since it also involves studying hard, thinking of and sharing idea's, writing good software, and doing overtime when necessary. I respect and appreciate your opinion on passwords and changing them, but I think you just had a bad day and are taking it out on me (perhaps it was bad because someone somewhere didn't change their password?). By the way, I just read a post from someone claiming to be a hacker (good or evil, he didn't say) and he says changing passwords is just a silly habit passed down to generations. The post is somewhere in this topic, I might have twisted his words a bit, but you can look it up. You don't have to agree, but know that I am not alone ;)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWo -
Changing your password without a good reason is a mindless practice that has been passed down long ago and is no longer valid. It used to be that a hacker could download a password file and take days to decrypt it. If you changed your password during that time, you would have saved yourself some distress, but only if you changed it during that time, a window of a now unlikely opportunity that has gotten so small that regularly changing your password no longer helps that situation. Another reason to change your password is if you have given it to anyone or suspect that someone has read the note that you had to put it on, because some smart system admin has made unreasonable rules that you can't follow without writing it down. In that case, you should change your password right away, not wait for the scheduled time period to do it. There are only two rules that really apply to users these days: 1. Don't give it to anyone. 2. Make it a long multiple word phrase (more than 20 characters) that is easy for you to remember. And there are two rules for system administrators: 1. Never store the password in clear text or transmit it over email. 2. Allow long passwords and don't force arbitrary rules and restrictions about it.
Glad to hear it from someone who claims he knows what he's talking about! :) And though I am no expert on security I agree with you 100%!
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
Henry Minute wrote:
making sure that the highest levels of management knew why
Highest levels of management probably have their childrens name for passwords and never change them... I don't even think they'd know what you're talking about :laugh: I just don't see the need to have a new password every two months. It's not like people are constantly trying to hack your every account (this may have sounded like an invitation, it's not!). It's just very inconvenient for me, remembering all those passwords (and I have forgotten a few)... Besides, what could evil-doers do with my old password that they couldn't do with my new one? And doesn't it take something like a billion years to crack one? My guess is that if hackers get my password they don't need two months to get it and so if they do I'm always to late with changing it, wether I change it once a year or once a month... Guess I'm just not very paranoid or I don't have anything to hide. I must say someone gained access to my MSN account and to my World of Warcraft account once (two seperate incidents with I think very different passwords). Very nasty business. Changed my password after both incidents. In case of WoW I had my account about three months and I'm very sure changing my password after two months wouldn't have made a difference. I installed a keyscrambler after that :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}Naerling wrote: I just don't see the need to have a new password every two months. Be glad you have two months, we have 30 days with a re-use policy of never. And no, I don't write it down, type it somewhere, or set up a key sequence - you just memorize it because it is part of your job. Something that might be helpful - put the next expire date on your calendar so you have a few days to think of something you'll remember. Just my $0.02, -Chris C.
-
I agree almost entirely with your comments about passwords. That was not where my problem with Naerling lay. Regardless of the pro's and con's of a company policy you comply with them. Only then do you institute whatever appropriate procedures there are to get them changed. You do not refuse to carry them out (unless someone will die or be seriously injured if you do). As I said earlier, if you did that anywhere I had authority, you would be on very dangerous ground.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
You NEVER disagreed with someone who's higher up the ranks than you?
Henry Minute wrote:
Only then do you institute whatever appropriate procedures there are to get them changed.
The appropriate procedure at our company is going to our boss and telling it to their face. I also never said I refused to change my password. I simply told it to my boss' face that I didn't like it one bit (perhaps slightly more emotional than appropriate) and my boss agreed. Had I known my post above would've slandered my name so, "Naerling the one who does not care about security, refuses to work, and is generally speaking a dumbass", I wouldn't have said it :laugh:
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}
