I'm Going To Take A Hostage
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
MadGerbil wrote:
Because of this I need to take a hostage.
If you have foul play in mind, I have a list! :)
I'm not sure how many cookies it makes to be happy, but so far it's not 27. JaxCoder.com
-
MadGerbil wrote:
If you write a password management system and force people to change passwords every 30 days
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security. You should be more than glad they don't make you change your password every week. And no, they are not bad people for doing this. No more as bad as the doctor who tells you to quit smoking. I agree it is frustrating, very much so.
The only way my password can be compromised is by mind-reading... Or I give it away... So the site (that obviously does not store it :laugh:) has no reason to be so hard on me...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
MadGerbil wrote:
If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement.
it's not a secure password because you will not be able to remember it and you will write it down on a post-it or copy it on a regular text file on your desktop; or you click on the "I forgot my password" button. Anyway, agreed. I hate when I have to change passwords.
I'd rather be phishing!
-
MadGerbil wrote:
Because of this I need to take a hostage.
If you have foul play in mind, I have a list! :)
I'm not sure how many cookies it makes to be happy, but so far it's not 27. JaxCoder.com
Mike Hankey wrote:
I have a list!
By any chance, is Mike short for Mikado [^] ?
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein
"If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010
-
MadGerbil wrote:
If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement.
it's not a secure password because you will not be able to remember it and you will write it down on a post-it or copy it on a regular text file on your desktop; or you click on the "I forgot my password" button. Anyway, agreed. I hate when I have to change passwords.
I'd rather be phishing!
-
MadGerbil wrote:
If you write a password management system and force people to change passwords every 30 days
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security. You should be more than glad they don't make you change your password every week. And no, they are not bad people for doing this. No more as bad as the doctor who tells you to quit smoking. I agree it is frustrating, very much so.
Slacker007 wrote:
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess.
What the experts say: Time for Password Expiration to Die | SANS Security Awareness[^]
-
MadGerbil wrote:
If you write a password management system and force people to change passwords every 30 days
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security. You should be more than glad they don't make you change your password every week. And no, they are not bad people for doing this. No more as bad as the doctor who tells you to quit smoking. I agree it is frustrating, very much so.
The problem with systems that force people to regularly change passwords is that people have a habit of simply incrementing a number at the end of a password. So the chances are that if I know your password, I can just try incrementing the number at the end until I get your current password which has probably just been incremented by one.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
This means they are storing all your previous passwords. Do they guarantee you that their password storage is never going to be compormised?
-
This means they are storing all your previous passwords. Do they guarantee you that their password storage is never going to be compormised?
-
This means they are storing all your previous passwords. Do they guarantee you that their password storage is never going to be compormised?
Hopefully a salted hash of your previous passwords. But given some of the code that keeps cropping up in QA, I wouldn't guarantee it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
This means they are storing all your previous passwords. Do they guarantee you that their password storage is never going to be compormised?
You have no need to store the old passwords... a one-way hash will do... But if you store one-way hash what do you afraid of?
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
"It never ceases to amaze me that a spacecraft launched in 1977 can be fixed remotely from Earth." ― Brian Cox
-
You have no need to store the old passwords... a one-way hash will do... But if you store one-way hash what do you afraid of?
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
Kornfeld Eliyahu Peter wrote:
what do you afraid of?
As Richard says: Go to QA and see what some idiots developers are doing in the real world ... :sigh:
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
-
Hopefully a salted hash of your previous passwords. But given some of the code that keeps cropping up in QA, I wouldn't guarantee it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thanks. New learning today.
-
Kornfeld Eliyahu Peter wrote:
what do you afraid of?
As Richard says: Go to QA and see what some idiots developers are doing in the real world ... :sigh:
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
But of course... only speaking in theory... (that's the reason that I try to avoid opening accounts on any site, and using google's login if I can)
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
I may climb a tower over multiple systems, the VPN, Active Directory, Global network, etc. All of them have different expiration policies so syncing up passwords is a real PITA. Don't give me the crap about they all should have different passwords, all those systems are part of the work ecosystem. Currently, I have 3 different passwords because of the timing. There's one of them that expires the fastest, that I can't figure out which part of the environment it controls since I rarely type it.
-
This means they are storing all your previous passwords. Do they guarantee you that their password storage is never going to be compormised?
Quote:
This means they are storing all your previous passwords.
No, it doesn't mean that. They could be storing the hash of the password and reusing the salt on the new password.
-
MadGerbil wrote:
If you write a password management system and force people to change passwords every 30 days
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security. You should be more than glad they don't make you change your password every week. And no, they are not bad people for doing this. No more as bad as the doctor who tells you to quit smoking. I agree it is frustrating, very much so.
Quote:
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security.
It isn't a valid level of security. That policy came from an era when PCs were not connected to the internet, hence someone who wanted to use your compromised password would have to literally break into the office. So limiting the passwords to 30 days mitigated that risk. Now, if your password is compromised they will, in the first two minutes, install a keylogger, thereby having all future passwords of yours. It gets worse - because of the requirement of regular password changing, people simply use easy to remember passwords. In effect, the password expiry policy actually forces people to use less secure passwords than they would have done without the policy. So, no, password expiry is stupid policy, encourages weaker passwords and, IME, only recommended by people who don't know much about security, encryption or stuff like that (i.e. IT and Network staff).
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
I found KeePass here in Code Project, and have been using it ever since. I think it is terrific :thumbsup::thumbsup: and have had no problems with passwords since I started using it. You should give that try.
-
MadGerbil wrote:
If you write a password management system and force people to change passwords every 30 days
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security. You should be more than glad they don't make you change your password every week. And no, they are not bad people for doing this. No more as bad as the doctor who tells you to quit smoking. I agree it is frustrating, very much so.
If your password is compromised, then the hacker has 30 days to casually do what he wants and finish, besides changing the password himself. So what has that 30 day password change accomplished? Nothing. It might be effective if your account is put in a bucket and not bought and used for more than 30 days.
