International Change Your Password Day
-
Naerling wrote:
Highest levels of management probably have their childrens name for passwords and never change them..
Not where I work. They use the same policy as everyone else. Passwords are required to be changed often and they are validated to be strong passwords.
Naerling wrote:
I just don't see the need to have a new password every two months. It's not like people are constantly trying to hack your every account (this may have sounded like an invitation, it's not!).
Err...yes they are. My company tracks penetration attempts and the trivial ones are in the tens if not hundreds every day.
Naerling wrote:
And doesn't it take something like a billion years to crack one?
Huh? A standard dictionary attack with weak password on an unsecured system can crack an account in probably a matter of minutes.
Naerling wrote:
I don't have anything to hide.
What does that have to do with anything?
jschell wrote:
required to be changed often
This is about the most stupid thing a password system can do. What is it meant to achieve? If someone hacks your PW, he won't put it aside for a couple of days, let alone a month or more. And, hopefully, you'll notice it when the damage is done long before that one- or three-month period is over. If not, by the time you do your scheduled PW change, there's nothing left to bother securing. I don't know where the notion comes from that a password is more secure when it gets changed often. The only thing it really achieves is p****ing off users, and causing them to use easy to remember passwords, that are in turn rated 'weak' (but see below)
jschell wrote:
they are validated to be strong passwords
The problem with so called 'strong passwords' is that they are a misnomer, and in fact quite weak when you consider what they're set against: a hacker's powerful computer and clever algorithms built around exactly the same rules that PW strength checkers use, and humans' tendency to put as little effort as possible into following those rules. As a result, passwords generated under enforced PW strength rules (such as 'must have at least one special character') are hard to remember by humans but still easy to guess by computers.
-
Changing your password without a good reason is a mindless practice that has been passed down long ago and is no longer valid. It used to be that a hacker could download a password file and take days to decrypt it. If you changed your password during that time, you would have saved yourself some distress, but only if you changed it during that time, a window of a now unlikely opportunity that has gotten so small that regularly changing your password no longer helps that situation. Another reason to change your password is if you have given it to anyone or suspect that someone has read the note that you had to put it on, because some smart system admin has made unreasonable rules that you can't follow without writing it down. In that case, you should change your password right away, not wait for the scheduled time period to do it. There are only two rules that really apply to users these days: 1. Don't give it to anyone. 2. Make it a long multiple word phrase (more than 20 characters) that is easy for you to remember. And there are two rules for system administrators: 1. Never store the password in clear text or transmit it over email. 2. Allow long passwords and don't force arbitrary rules and restrictions about it.
I agree almost entirely with your comments about passwords. That was not where my problem with Naerling lay. Regardless of the pro's and con's of a company policy you comply with them. Only then do you institute whatever appropriate procedures there are to get them changed. You do not refuse to carry them out (unless someone will die or be seriously injured if you do). As I said earlier, if you did that anywhere I had authority, you would be on very dangerous ground.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
you're going to love this..... where i work, every password is the same, all remote access to our clients, all admin accounts everything, and its an easy password. despite objections, pleas to change it, begging for a certificate it all got turned down. why do you ask? the owner does not want to have to worry about remembering passwords. and it gets better, they share that info with the clients, so one client can log into another client if they know the ip (not hard to figure out) and there is one recent case of one client stealing anothers data, and they cannot figure out how
chodi wrote:
there is one recent case of one client stealing anothers data, and they cannot figure out how
And if you tell them how I did it, I'll send the boys round! Bwahahahahahahahaha!
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
Wow, I'm speechless. I hope you're proud of the fact that this childish attitude has probably made your company fail to comply with data protection law in the country you are based in. Which rock have you been hiding to be so unaware of security issues over the last few years? I'm with Henry here, with that attitude, either you'd go or me. If it was me, I'd then sue for constructive dismissal.
Rob Grainger wrote:
data protection law in the country you are based in
I don't think there is a law about how much you have to change you password :doh: If there was my boss would be a fool to comply with my 'demands' for keeping my old password.
Rob Grainger wrote:
Which rock have you been hiding to be so unaware of security issues over the last few years?
As far as I know none of those issues were about people that did not change their passwords... It was about passwords (no matter how often they were changed) that were stored unencrypted, were sent over an unsecured line, were shared with other people etc.
Rob Grainger wrote:
I'd then sue for constructive dismissal
Are you an American? GTA4 had a great joke about it on the radio "sue anyone for anything and you'll probably win!" Anyway, there was no need to sue me since I was on a six month contract and it would've ended pretty soon. There wasn't any money or honour to be made from sueing me either. Besides the fact that I sometimes disagree with people I did my job pretty well. Really, if my boss thought it absolutely necessary to change my password he would've said something like "Naerling (ok, he'd use my real name), I sense some frustration, but this is really for the best... Trust me ;)" And since my boss has a way with people I'd probably calm down a bit, say "ok" and leave the room disgruntled.
Rob Grainger wrote:
this childish attitude
My 'childish' attitude has been asked for, appreciated and rewarded quite a few times in the last year since it also involves studying hard, thinking of and sharing idea's, writing good software, and doing overtime when necessary. I respect and appreciate your opinion on passwords and changing them, but I think you just had a bad day and are taking it out on me (perhaps it was bad because someone somewhere didn't change their password?). By the way, I just read a post from someone claiming to be a hacker (good or evil, he didn't say) and he says changing passwords is just a silly habit passed down to generations. The post is somewhere in this topic, I might have twisted his words a bit, but you can look it up. You don't have to agree, but know that I am not alone ;)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWo -
Changing your password without a good reason is a mindless practice that has been passed down long ago and is no longer valid. It used to be that a hacker could download a password file and take days to decrypt it. If you changed your password during that time, you would have saved yourself some distress, but only if you changed it during that time, a window of a now unlikely opportunity that has gotten so small that regularly changing your password no longer helps that situation. Another reason to change your password is if you have given it to anyone or suspect that someone has read the note that you had to put it on, because some smart system admin has made unreasonable rules that you can't follow without writing it down. In that case, you should change your password right away, not wait for the scheduled time period to do it. There are only two rules that really apply to users these days: 1. Don't give it to anyone. 2. Make it a long multiple word phrase (more than 20 characters) that is easy for you to remember. And there are two rules for system administrators: 1. Never store the password in clear text or transmit it over email. 2. Allow long passwords and don't force arbitrary rules and restrictions about it.
Glad to hear it from someone who claims he knows what he's talking about! :) And though I am no expert on security I agree with you 100%!
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
Henry Minute wrote:
making sure that the highest levels of management knew why
Highest levels of management probably have their childrens name for passwords and never change them... I don't even think they'd know what you're talking about :laugh: I just don't see the need to have a new password every two months. It's not like people are constantly trying to hack your every account (this may have sounded like an invitation, it's not!). It's just very inconvenient for me, remembering all those passwords (and I have forgotten a few)... Besides, what could evil-doers do with my old password that they couldn't do with my new one? And doesn't it take something like a billion years to crack one? My guess is that if hackers get my password they don't need two months to get it and so if they do I'm always to late with changing it, wether I change it once a year or once a month... Guess I'm just not very paranoid or I don't have anything to hide. I must say someone gained access to my MSN account and to my World of Warcraft account once (two seperate incidents with I think very different passwords). Very nasty business. Changed my password after both incidents. In case of WoW I had my account about three months and I'm very sure changing my password after two months wouldn't have made a difference. I installed a keyscrambler after that :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}Naerling wrote: I just don't see the need to have a new password every two months. Be glad you have two months, we have 30 days with a re-use policy of never. And no, I don't write it down, type it somewhere, or set up a key sequence - you just memorize it because it is part of your job. Something that might be helpful - put the next expire date on your calendar so you have a few days to think of something you'll remember. Just my $0.02, -Chris C.
-
I agree almost entirely with your comments about passwords. That was not where my problem with Naerling lay. Regardless of the pro's and con's of a company policy you comply with them. Only then do you institute whatever appropriate procedures there are to get them changed. You do not refuse to carry them out (unless someone will die or be seriously injured if you do). As I said earlier, if you did that anywhere I had authority, you would be on very dangerous ground.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
You NEVER disagreed with someone who's higher up the ranks than you?
Henry Minute wrote:
Only then do you institute whatever appropriate procedures there are to get them changed.
The appropriate procedure at our company is going to our boss and telling it to their face. I also never said I refused to change my password. I simply told it to my boss' face that I didn't like it one bit (perhaps slightly more emotional than appropriate) and my boss agreed. Had I known my post above would've slandered my name so, "Naerling the one who does not care about security, refuses to work, and is generally speaking a dumbass", I wouldn't have said it :laugh:
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
That's why I put all my passwords into my Gateway 2000 programmable keyboard ;P While that might not sound secure, each key can have ALT-CTRL-SHIFT prefixes, so you'd have to figure out which keys to press before you lock yourself out from the account. Not as easy as WarGames' printed list hidden somewhere or the password on the blackboard at school. But admittedly not too far behind. But the ultimate advantage is that I don't have to remember the passwords at all. :laugh:
Psychosis at 10 Film at 11 Those who do not remember the past, are doomed to repeat it. Those who do not remember the past, cannot build upon it.
Have your cat type your password. If he can't remember it the next time you need to log in, blame the cat :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
You NEVER disagreed with someone who's higher up the ranks than you?
Henry Minute wrote:
Only then do you institute whatever appropriate procedures there are to get them changed.
The appropriate procedure at our company is going to our boss and telling it to their face. I also never said I refused to change my password. I simply told it to my boss' face that I didn't like it one bit (perhaps slightly more emotional than appropriate) and my boss agreed. Had I known my post above would've slandered my name so, "Naerling the one who does not care about security, refuses to work, and is generally speaking a dumbass", I wouldn't have said it :laugh:
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}Naerling wrote:
You NEVER disagreed with someone who's higher up the ranks than you?
I frequently (one might say always) disagreed with at least one person higher than me on almost all aspects of company policy. There are, however, right and wrong ways to air grievances/disagreements in a professional organization. Once you break outside those boundaries, regardless of who may or may not be correct you have lost. Also by allowing someone to 'get away with' not implementing a policy the organization loses enormously.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
Have your cat type your password. If he can't remember it the next time you need to log in, blame the cat :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}I have two cats and they wouldn't be able to agree on the password. They do keep asking me about this "mouse" they keep hearing about.
Psychosis at 10 Film at 11 Those who do not remember the past, are doomed to repeat it. Those who do not remember the past, cannot build upon it.
-
Naerling wrote: I just don't see the need to have a new password every two months. Be glad you have two months, we have 30 days with a re-use policy of never. And no, I don't write it down, type it somewhere, or set up a key sequence - you just memorize it because it is part of your job. Something that might be helpful - put the next expire date on your calendar so you have a few days to think of something you'll remember. Just my $0.02, -Chris C.
Well, we don't have it anymore. And I still think it's a stupid, good for nothing policy :) Do you feel more secure because of it? ARE you better secured? As I understood elsewhere in this topic a password can be cracked in a couple of days or even minutes. All your passwords in the world won't change that.
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
jschell wrote:
required to be changed often
This is about the most stupid thing a password system can do. What is it meant to achieve? If someone hacks your PW, he won't put it aside for a couple of days, let alone a month or more. And, hopefully, you'll notice it when the damage is done long before that one- or three-month period is over. If not, by the time you do your scheduled PW change, there's nothing left to bother securing. I don't know where the notion comes from that a password is more secure when it gets changed often. The only thing it really achieves is p****ing off users, and causing them to use easy to remember passwords, that are in turn rated 'weak' (but see below)
jschell wrote:
they are validated to be strong passwords
The problem with so called 'strong passwords' is that they are a misnomer, and in fact quite weak when you consider what they're set against: a hacker's powerful computer and clever algorithms built around exactly the same rules that PW strength checkers use, and humans' tendency to put as little effort as possible into following those rules. As a result, passwords generated under enforced PW strength rules (such as 'must have at least one special character') are hard to remember by humans but still easy to guess by computers.
I assume someone already mentioned this, but just in case... http://xkcd.com/936/[^] JS
-
Naerling wrote:
You NEVER disagreed with someone who's higher up the ranks than you?
I frequently (one might say always) disagreed with at least one person higher than me on almost all aspects of company policy. There are, however, right and wrong ways to air grievances/disagreements in a professional organization. Once you break outside those boundaries, regardless of who may or may not be correct you have lost. Also by allowing someone to 'get away with' not implementing a policy the organization loses enormously.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
I call my boss Tuna fish because his name sounds like Tuna and I call my other boss Dork because it's only one letter difference. They call me all kind of names too. Just because we're not all uptight and we can. I wear my green teenage mutant ninja turtle sweater to work and even to customers. I don't mind, my bosses don't mind and our clients don't mind either (they actually like me and ask for me personally). What's important is our software and overall our clients are pretty satisfied about that. Did I also mention clients called me 'an angel' and a (translated) 'son of a bitch' in an affectionate kind of way :) Of course we can be serious and to the point if we have to, just not always. I guess the Dutch are just relaxed like that. And actually that's just how I like it. I wouldn't want to wear a tuxedo to work and call my superiors 'sir'. I understand things get more formal if a company gets bigger, and if I worked at a big company I would comply to those rules. This might sound ridiculous to you and how could a company that works like that ever get anything done!? Fact is that we've helped customers where our much bigger competitors failed :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
I have two cats and they wouldn't be able to agree on the password. They do keep asking me about this "mouse" they keep hearing about.
Psychosis at 10 Film at 11 Those who do not remember the past, are doomed to repeat it. Those who do not remember the past, cannot build upon it.
Cats... :laugh:
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
chodi wrote:
there is one recent case of one client stealing anothers data, and they cannot figure out how
And if you tell them how I did it, I'll send the boys round! Bwahahahahahahahaha!
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
jschell wrote:
required to be changed often
This is about the most stupid thing a password system can do. What is it meant to achieve? If someone hacks your PW, he won't put it aside for a couple of days, let alone a month or more. And, hopefully, you'll notice it when the damage is done long before that one- or three-month period is over. If not, by the time you do your scheduled PW change, there's nothing left to bother securing. I don't know where the notion comes from that a password is more secure when it gets changed often. The only thing it really achieves is p****ing off users, and causing them to use easy to remember passwords, that are in turn rated 'weak' (but see below)
jschell wrote:
they are validated to be strong passwords
The problem with so called 'strong passwords' is that they are a misnomer, and in fact quite weak when you consider what they're set against: a hacker's powerful computer and clever algorithms built around exactly the same rules that PW strength checkers use, and humans' tendency to put as little effort as possible into following those rules. As a result, passwords generated under enforced PW strength rules (such as 'must have at least one special character') are hard to remember by humans but still easy to guess by computers.
Stefan_Lang wrote:
This is about the most stupid thing a password system can do. What is it meant to achieve? If someone hacks your PW, he won't put it aside for a couple of days, let alone a month or more. And, hopefully, you'll notice it when the damage is done long before that one- or three-month period is over. If not, by the time you do your scheduled PW change, there's nothing left to bother securing.
One very obvious thing it allows is that the password checking semantics can be changed/updated. And perhaps in your world attackers do nothing but slash and dash but in mine keeping access to systems for a long time is an advantage.
Stefan_Lang wrote:
I don't know where the notion comes from that a password is more secure when it gets changed often. The only thing it really achieves is p****ing off users, and causing them to use easy to remember passwords, that are in turn rated 'weak' (but see below)
So you suggest allowing weak passwords and never changing them?
Stefan_Lang wrote:
As a result, passwords generated under enforced PW strength rules (such as 'must have at least one special character') are hard to remember by humans but still easy to guess by computers.
If such rules are not in place then users will pick passwords that a straight dictionary attack will reveal. Variations significantly increase the possibilities. And that along with well designed systems means that a computer driven attack based on sequential guessing, REGARDLESS of the hardware, will take too long to be feasible.
-
Rob Grainger wrote:
data protection law in the country you are based in
I don't think there is a law about how much you have to change you password :doh: If there was my boss would be a fool to comply with my 'demands' for keeping my old password.
Rob Grainger wrote:
Which rock have you been hiding to be so unaware of security issues over the last few years?
As far as I know none of those issues were about people that did not change their passwords... It was about passwords (no matter how often they were changed) that were stored unencrypted, were sent over an unsecured line, were shared with other people etc.
Rob Grainger wrote:
I'd then sue for constructive dismissal
Are you an American? GTA4 had a great joke about it on the radio "sue anyone for anything and you'll probably win!" Anyway, there was no need to sue me since I was on a six month contract and it would've ended pretty soon. There wasn't any money or honour to be made from sueing me either. Besides the fact that I sometimes disagree with people I did my job pretty well. Really, if my boss thought it absolutely necessary to change my password he would've said something like "Naerling (ok, he'd use my real name), I sense some frustration, but this is really for the best... Trust me ;)" And since my boss has a way with people I'd probably calm down a bit, say "ok" and leave the room disgruntled.
Rob Grainger wrote:
this childish attitude
My 'childish' attitude has been asked for, appreciated and rewarded quite a few times in the last year since it also involves studying hard, thinking of and sharing idea's, writing good software, and doing overtime when necessary. I respect and appreciate your opinion on passwords and changing them, but I think you just had a bad day and are taking it out on me (perhaps it was bad because someone somewhere didn't change their password?). By the way, I just read a post from someone claiming to be a hacker (good or evil, he didn't say) and he says changing passwords is just a silly habit passed down to generations. The post is somewhere in this topic, I might have twisted his words a bit, but you can look it up. You don't have to agree, but know that I am not alone ;)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWoNaerling wrote:
As far as I know none of those issues were about people that did not change their passwords... It was about passwords (no matter how often they were changed) that were stored unencrypted, were sent over an unsecured line, were shared with other people etc.
There have been a number of recent cases involving weak passwords. If you do not have a automatic change policy then you have two choices if your system was not previously checking strength. 1. Require everyone to select new passwords 2. Hope that no one is using weak passwords.
Naerling wrote:
and he says changing passwords is just a silly habit passed down to generations.
So rationalize why such a policy isn't a good idea. I believe you stated that people would write them down if it requires too much complexity....so lets run with that. So to get access to your password that is written down I must physically see that piece of paper and then do something with it. So either you invite me to your desk or I break in. In either case mostly related to people in your immediate area, and presuming that your physical security is rather week, and that you blantantly post the password on your desk somewhere. And that your personal access is meaningful as an attack vector into the company. Versus....a weak policy...where the entire world has the opportunity to decide to attack your company and using a dictionary attack to attempt to gain access to every single user on the system (after all they don't need to limit themselves to just one.) Please explain to me how that is better.
-
Naerling wrote:
As far as I know none of those issues were about people that did not change their passwords... It was about passwords (no matter how often they were changed) that were stored unencrypted, were sent over an unsecured line, were shared with other people etc.
There have been a number of recent cases involving weak passwords. If you do not have a automatic change policy then you have two choices if your system was not previously checking strength. 1. Require everyone to select new passwords 2. Hope that no one is using weak passwords.
Naerling wrote:
and he says changing passwords is just a silly habit passed down to generations.
So rationalize why such a policy isn't a good idea. I believe you stated that people would write them down if it requires too much complexity....so lets run with that. So to get access to your password that is written down I must physically see that piece of paper and then do something with it. So either you invite me to your desk or I break in. In either case mostly related to people in your immediate area, and presuming that your physical security is rather week, and that you blantantly post the password on your desk somewhere. And that your personal access is meaningful as an attack vector into the company. Versus....a weak policy...where the entire world has the opportunity to decide to attack your company and using a dictionary attack to attempt to gain access to every single user on the system (after all they don't need to limit themselves to just one.) Please explain to me how that is better.
Seeing how ONE good password can take a couple of billion years to crack according to this[^] website I'd say it is more secure to not having to have pieces of paper laying around that WILL be discovered (people at our office often switch seats for whatever reason, 'borrow' a pen from someone's desk, take a sheet of paper, etc. versus having a password that will NOT be cracked anytime soon :) Unless you're planning on getting attacked by a 'super computer' which would be a gigantic waste of resources if it were used on our little company... Anything less than good will still take a little while, but I see your point where, if you're on the edge, having to change passwords every two months can save your ass by a couple of days! Anyway, for my personal accounts and for our company I am willing to take the risk of being attacked by a supercomputer and have my password cracked in mere seconds vs. the inconvenience of having to change it every two months.
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
Wow, I'm speechless. I hope you're proud of the fact that this childish attitude has probably made your company fail to comply with data protection law in the country you are based in. Which rock have you been hiding to be so unaware of security issues over the last few years? I'm with Henry here, with that attitude, either you'd go or me. If it was me, I'd then sue for constructive dismissal.
If you (or Henry) were the admin you wouldn't have the authority to fire anyone. And if you quit you would NOT have grounds for action under constructive dismissal. Calm down and curb the aggression.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
