International Change Your Password Day
-
Wow, I'm speechless. I hope you're proud of the fact that this childish attitude has probably made your company fail to comply with data protection law in the country you are based in. Which rock have you been hiding to be so unaware of security issues over the last few years? I'm with Henry here, with that attitude, either you'd go or me. If it was me, I'd then sue for constructive dismissal.
If you (or Henry) were the admin you wouldn't have the authority to fire anyone. And if you quit you would NOT have grounds for action under constructive dismissal. Calm down and curb the aggression.
-
ICYPD[^]. It seems that someone else is trying to start an International Change Your Password Day - February 1st. A swift search on change password day reveals at least 4 other attempts at starting national/international days, on the first page of results. This would indicate that the idea of having a special day for it has not caught on. What do you think? Is it the idea of a special day for it that isn't popular or just a lack of interest (lack of comprehension for the need) to change them.
Henry Minute Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is. Cogito ergo thumb - Sucking my thumb helps me to think.
-
Changing your password without a good reason is a mindless practice that has been passed down long ago and is no longer valid. It used to be that a hacker could download a password file and take days to decrypt it. If you changed your password during that time, you would have saved yourself some distress, but only if you changed it during that time, a window of a now unlikely opportunity that has gotten so small that regularly changing your password no longer helps that situation. Another reason to change your password is if you have given it to anyone or suspect that someone has read the note that you had to put it on, because some smart system admin has made unreasonable rules that you can't follow without writing it down. In that case, you should change your password right away, not wait for the scheduled time period to do it. There are only two rules that really apply to users these days: 1. Don't give it to anyone. 2. Make it a long multiple word phrase (more than 20 characters) that is easy for you to remember. And there are two rules for system administrators: 1. Never store the password in clear text or transmit it over email. 2. Allow long passwords and don't force arbitrary rules and restrictions about it.
Good advice. Personally I let KeePass generate 30 character random passwords which have upper and lower case letters, numbers and other ASCII characters. That way I only have to remember one strong password. I hate systems which force me to change my password, even worse, restrict the maximum length or allow only numbers or letters. To me these restrictions are a possible indication the developers are not salting and hashing as they should be.
-
Stefan_Lang wrote:
This is about the most stupid thing a password system can do. What is it meant to achieve? If someone hacks your PW, he won't put it aside for a couple of days, let alone a month or more. And, hopefully, you'll notice it when the damage is done long before that one- or three-month period is over. If not, by the time you do your scheduled PW change, there's nothing left to bother securing.
One very obvious thing it allows is that the password checking semantics can be changed/updated. And perhaps in your world attackers do nothing but slash and dash but in mine keeping access to systems for a long time is an advantage.
Stefan_Lang wrote:
I don't know where the notion comes from that a password is more secure when it gets changed often. The only thing it really achieves is p****ing off users, and causing them to use easy to remember passwords, that are in turn rated 'weak' (but see below)
So you suggest allowing weak passwords and never changing them?
Stefan_Lang wrote:
As a result, passwords generated under enforced PW strength rules (such as 'must have at least one special character') are hard to remember by humans but still easy to guess by computers.
If such rules are not in place then users will pick passwords that a straight dictionary attack will reveal. Variations significantly increase the possibilities. And that along with well designed systems means that a computer driven attack based on sequential guessing, REGARDLESS of the hardware, will take too long to be feasible.
jschell wrote:
One very obvious thing it allows is that the password checking semantics can be changed/updated.
I'm sorry, but that is not an obvious reason for scheduled password change, in fact it is a reason against it: It is a reason for deliberate password change, executed when necessary. If you realize you should implement some better password rules, why wait several weeks or months for the update?
jschell wrote:
If such rules are not in place then users will pick passwords that a straight dictionary attack will reveal.
I never suggested using words straight from the dictionary. I never suggested not checking password strength either. I just say that the usual rules don't help. Not enough to be worth the bother anyway. Let password strength checkers use dictionaries to prevent dictionary attacks. Let them check for substitutions such as '0' for 'O', '$' for 'S', or 1 for 'l'. Let them check for all the well known tricks that attacker programs also use to minimize the number of variations they need to check. But forget rules! They just help attackers to know just what variations they need to add! The more concise the enforced rules are, the less variation they truly add. Make the rules less strict however, and the attack programs no longer have any assumptions they can build their algorithms on!
jschell wrote:
Variations significantly increase the possibilities.
I agree on that. It's just that enforcing the use of special characters adds only a very limited amount of variation: Must use caps? Right, I'll put it on the first character (where else?). That doesn't even add any variation because I often did exactly that before anyone forced me to. (so it will even decrease variation as the choice of using a cap or not is taken from me. Then again, hardly anyone uses caps anymore these days...) Must use a number? Ok, just put one 'random' number at the end. Well... why not '1'? Done. Variation added: none. Ok, some people might use, 2, or 9, I don't know. But I'm convinced the majority of 'enforced' numbers are just '1'. Must add some special character? Ugh, I actually have to use Shift to reach one of those - I'm not a typist, thank you very much! Well, I only have to use one to satisfy the algorithm, and, to help me memorize, I'll put it at the end. (I might put it at the start, but some password systems do fo
-
Good advice. Personally I let KeePass generate 30 character random passwords which have upper and lower case letters, numbers and other ASCII characters. That way I only have to remember one strong password. I hate systems which force me to change my password, even worse, restrict the maximum length or allow only numbers or letters. To me these restrictions are a possible indication the developers are not salting and hashing as they should be.
Yes, it's those restrictions that bug me the most, usually. I've seen password checkers with incredibly restricting rules, but only allowing only 12, or even 8 characters. With such a limited length, all those restrictions achieve is reduce variation rather than increase it.
-
Wow, I'm speechless. I hope you're proud of the fact that this childish attitude has probably made your company fail to comply with data protection law in the country you are based in. Which rock have you been hiding to be so unaware of security issues over the last few years? I'm with Henry here, with that attitude, either you'd go or me. If it was me, I'd then sue for constructive dismissal.
The issue is that current password strength enforcement systems are not well suited to prevent breaches, and that companies get so sercurity-crazed that they place the most complex of systems over even the least relevant of data. Maybe you have in fact access to data that are subject to nationwide security. And if that does require all the security measures you can think of, then so be it. But I do not: The most protected system I have access to is the one I use to enter and view my working hours. I can't do anything else with that system. But that doesn't change I need to jump through hoops and navigate through half a dozen screens just to log in. I can't even access it from anywhere but the desktop at my office, and if anyone has access to that, then there's a lot more at stake than some stupid work hour statistics! That is what's wrong! I spend valuable time every day, every week, every month, to satisfy a stupid security system that doesn't protect anything worth protecting. And worse, it already is protected. In contrast, the most important data I have access to only requires one login, and the password doesn't need to be very special, nor do I ever need to change it. Security is ensured through a code table. Simple. Easy to use and maintain. Just one new code table every year or so. And very effective all the same. That's what security should be like.
-
jschell wrote:
One very obvious thing it allows is that the password checking semantics can be changed/updated.
I'm sorry, but that is not an obvious reason for scheduled password change, in fact it is a reason against it: It is a reason for deliberate password change, executed when necessary. If you realize you should implement some better password rules, why wait several weeks or months for the update?
jschell wrote:
If such rules are not in place then users will pick passwords that a straight dictionary attack will reveal.
I never suggested using words straight from the dictionary. I never suggested not checking password strength either. I just say that the usual rules don't help. Not enough to be worth the bother anyway. Let password strength checkers use dictionaries to prevent dictionary attacks. Let them check for substitutions such as '0' for 'O', '$' for 'S', or 1 for 'l'. Let them check for all the well known tricks that attacker programs also use to minimize the number of variations they need to check. But forget rules! They just help attackers to know just what variations they need to add! The more concise the enforced rules are, the less variation they truly add. Make the rules less strict however, and the attack programs no longer have any assumptions they can build their algorithms on!
jschell wrote:
Variations significantly increase the possibilities.
I agree on that. It's just that enforcing the use of special characters adds only a very limited amount of variation: Must use caps? Right, I'll put it on the first character (where else?). That doesn't even add any variation because I often did exactly that before anyone forced me to. (so it will even decrease variation as the choice of using a cap or not is taken from me. Then again, hardly anyone uses caps anymore these days...) Must use a number? Ok, just put one 'random' number at the end. Well... why not '1'? Done. Variation added: none. Ok, some people might use, 2, or 9, I don't know. But I'm convinced the majority of 'enforced' numbers are just '1'. Must add some special character? Ugh, I actually have to use Shift to reach one of those - I'm not a typist, thank you very much! Well, I only have to use one to satisfy the algorithm, and, to help me memorize, I'll put it at the end. (I might put it at the start, but some password systems do fo
Stefan_Lang wrote:
Let password strength checkers use dictionaries to prevent dictionary attacks. Let them check for substitutions such as '0' for 'O', '$' for 'S', or 1 for 'l'. Let them check for all the well known tricks that attacker programs also use to minimize the number of variations they need to check. But forget rules! They just help attackers to know just what variations they need to add!
Interesting idea. I suspect it takes too long however.
Stefan_Lang wrote:
Take these three rules together and you get a combined variation of 1*1*10*2 = 20.
Myself I prefer more stringent checks than that. Some that I have used 1. Special character must not be only at end/beginning. 2. numerics must not be only at end/beginning. Don't think I thought of the only upper case at beginning but now that you have mentioned it, it suggests another rule.
-
Seeing how ONE good password can take a couple of billion years to crack according to this[^] website I'd say it is more secure to not having to have pieces of paper laying around that WILL be discovered (people at our office often switch seats for whatever reason, 'borrow' a pen from someone's desk, take a sheet of paper, etc. versus having a password that will NOT be cracked anytime soon :) Unless you're planning on getting attacked by a 'super computer' which would be a gigantic waste of resources if it were used on our little company... Anything less than good will still take a little while, but I see your point where, if you're on the edge, having to change passwords every two months can save your ass by a couple of days! Anyway, for my personal accounts and for our company I am willing to take the risk of being attacked by a supercomputer and have my password cracked in mere seconds vs. the inconvenience of having to change it every two months.
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}Naerling wrote:
Seeing how ONE good password can take a couple of billion years to crack according to this[^]
What is your point - my position is that a strong password is better than a weak one. Which is what that link shows.
Naerling wrote:
Unless you're planning on getting attacked by a 'super computer' which ...
No idea what you are talking about. With a weak password policy in place, and without stringent password implementation policies, a dictionary attack along with some manual guessing can break into a system very quickly. And that has nothing to do with your link.
Naerling wrote:
if you're on the edge, having to change passwords every two months can save your ass by a couple of days!
As I already said continous access to a system, not just hit a dash, is a technique that is employed. Requiring pwd changes gets rid of that.
-
The issue is that current password strength enforcement systems are not well suited to prevent breaches, and that companies get so sercurity-crazed that they place the most complex of systems over even the least relevant of data. Maybe you have in fact access to data that are subject to nationwide security. And if that does require all the security measures you can think of, then so be it. But I do not: The most protected system I have access to is the one I use to enter and view my working hours. I can't do anything else with that system. But that doesn't change I need to jump through hoops and navigate through half a dozen screens just to log in. I can't even access it from anywhere but the desktop at my office, and if anyone has access to that, then there's a lot more at stake than some stupid work hour statistics! That is what's wrong! I spend valuable time every day, every week, every month, to satisfy a stupid security system that doesn't protect anything worth protecting. And worse, it already is protected. In contrast, the most important data I have access to only requires one login, and the password doesn't need to be very special, nor do I ever need to change it. Security is ensured through a code table. Simple. Easy to use and maintain. Just one new code table every year or so. And very effective all the same. That's what security should be like.
Stefan_Lang wrote:
I can't even access it from anywhere but the desktop at my office, and if anyone has access to that, then there's a lot more at stake than some stupid work hour statistics!
Last report I saw, national, large scale, based on actual recovery efforts (not self reporting) two years ago, suggested that more than 90% of security problems originated internally.
Stefan_Lang wrote:
In contrast, the most important data I have access to only requires one login, and the password doesn't need to be very special, nor do I ever need to change it. Security is ensured through a code table. Simple. Easy to use and maintain. Just one new code table every year or so. And very effective all the same. That's what security should be like.
When the aliens (or angels) land and take over all systems they can make them perfect. Until that happens we must live with imperfect humans. And thus strive to insure that systems are secure.
-
Well, we don't have it anymore. And I still think it's a stupid, good for nothing policy :) Do you feel more secure because of it? ARE you better secured? As I understood elsewhere in this topic a password can be cracked in a couple of days or even minutes. All your passwords in the world won't change that.
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}[shrug] Well some people are made happy by the policy even if the efficacy is questionable. True - if someone has my password hash, and if they have a full set of rainbow tables, then yes - you are correct that the exercise is trivial (it is just a look-up in the table). But, that's not the case. Which leaves them only got three guesses before the account is locked. They won't get it in three guesses unless there's another piece of weirdness like a hash collision between my password and their guess, or maybe they have an HD camera focused on my keyboard. So, I see three choices: I can waste my breath 'raging against the machine'. I can quit. I can accept it. Note that acceptance does not preclude grumbling about it. Choices... life is full of them :-) -Chris C.
-
Naerling wrote:
Seeing how ONE good password can take a couple of billion years to crack according to this[^]
What is your point - my position is that a strong password is better than a weak one. Which is what that link shows.
Naerling wrote:
Unless you're planning on getting attacked by a 'super computer' which ...
No idea what you are talking about. With a weak password policy in place, and without stringent password implementation policies, a dictionary attack along with some manual guessing can break into a system very quickly. And that has nothing to do with your link.
Naerling wrote:
if you're on the edge, having to change passwords every two months can save your ass by a couple of days!
As I already said continous access to a system, not just hit a dash, is a technique that is employed. Requiring pwd changes gets rid of that.
jschell wrote:
my position is that a strong password is better than a weak one
I never disagreed with you there.
jschell wrote:
a dictionary attack along with some manual guessing can break into a system very quickly
Indeed, well within one or two months, in that case changing your password so frequently wouldn't help very much since it'll be cracked before you change it. And as computers get quicker and technology improves it will be just a matter of minutes before even the most secure password gets cracked. What's next? Changing your password hourly? Having bookworks for passwords?
jschell wrote:
As I already said continous access to a system, not just hit a dash, is a technique that is employed. Requiring pwd changes gets rid of that.
Maybe, I'm still not convinced. Anyway, for all the many profiles I have on numerous websites on the web I choose not to spend a day a month to check them all and change my password one by one... It's a risk I am willing to take in exchange for some convenience. As for work policies, I did not agree with the password change and my boss agreed with me that it wasn't necessary for our company. If my boss had not agreed with me I wouldn't have had a choice and change my password every two or three months.
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
[shrug] Well some people are made happy by the policy even if the efficacy is questionable. True - if someone has my password hash, and if they have a full set of rainbow tables, then yes - you are correct that the exercise is trivial (it is just a look-up in the table). But, that's not the case. Which leaves them only got three guesses before the account is locked. They won't get it in three guesses unless there's another piece of weirdness like a hash collision between my password and their guess, or maybe they have an HD camera focused on my keyboard. So, I see three choices: I can waste my breath 'raging against the machine'. I can quit. I can accept it. Note that acceptance does not preclude grumbling about it. Choices... life is full of them :-) -Chris C.
jccompton43 wrote:
an HD camera focused on my keyboard.
Or keylogger... Been a victim of that once. Lucky I store all my passwords so I don't have to retype them :) (And now I'll have the 'never-store-your-passwords' maffia on my back)
jccompton43 wrote:
I can waste my breath 'raging against the machine'.
My breath wasn't wasted as my boss agreed with me :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
} -
jccompton43 wrote:
an HD camera focused on my keyboard.
Or keylogger... Been a victim of that once. Lucky I store all my passwords so I don't have to retype them :) (And now I'll have the 'never-store-your-passwords' maffia on my back)
jccompton43 wrote:
I can waste my breath 'raging against the machine'.
My breath wasn't wasted as my boss agreed with me :)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}Naerling wrote: My breath wasn't wasted as my boss agreed with me Not your breath, mine. I was just talking about my choices based on where I am. Were you here, it would be a waste of your breath also. :) And, just so you don't misunderstand, they think highly of me here. FWIW, -Chris C.
-
Naerling wrote: My breath wasn't wasted as my boss agreed with me Not your breath, mine. I was just talking about my choices based on where I am. Were you here, it would be a waste of your breath also. :) And, just so you don't misunderstand, they think highly of me here. FWIW, -Chris C.
jccompton43 wrote:
Were you here, it would be a waste of your breath also.
And I probably wouldn't have wasted it :) I can estimate my chances of success ;)
It's an OO world.
public class Naerling : Lazy<Person>{
public void DoWork(){ throw new NotImplementedException(); }
}
