I'm Going To Take A Hostage
-
Kornfeld Eliyahu Peter wrote:
what do you afraid of?
As Richard says: Go to QA and see what some idiots developers are doing in the real world ... :sigh:
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
But of course... only speaking in theory... (that's the reason that I try to avoid opening accounts on any site, and using google's login if I can)
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
-
Hopefully a salted hash of your previous passwords. But given some of the code that keeps cropping up in QA, I wouldn't guarantee it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thanks. New learning today.
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
I may climb a tower over multiple systems, the VPN, Active Directory, Global network, etc. All of them have different expiration policies so syncing up passwords is a real PITA. Don't give me the crap about they all should have different passwords, all those systems are part of the work ecosystem. Currently, I have 3 different passwords because of the timing. There's one of them that expires the fastest, that I can't figure out which part of the environment it controls since I rarely type it.
-
This means they are storing all your previous passwords. Do they guarantee you that their password storage is never going to be compormised?
Quote:
This means they are storing all your previous passwords.
No, it doesn't mean that. They could be storing the hash of the password and reusing the salt on the new password.
-
MadGerbil wrote:
If you write a password management system and force people to change passwords every 30 days
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security. You should be more than glad they don't make you change your password every week. And no, they are not bad people for doing this. No more as bad as the doctor who tells you to quit smoking. I agree it is frustrating, very much so.
Quote:
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security.
It isn't a valid level of security. That policy came from an era when PCs were not connected to the internet, hence someone who wanted to use your compromised password would have to literally break into the office. So limiting the passwords to 30 days mitigated that risk. Now, if your password is compromised they will, in the first two minutes, install a keylogger, thereby having all future passwords of yours. It gets worse - because of the requirement of regular password changing, people simply use easy to remember passwords. In effect, the password expiry policy actually forces people to use less secure passwords than they would have done without the policy. So, no, password expiry is stupid policy, encourages weaker passwords and, IME, only recommended by people who don't know much about security, encryption or stuff like that (i.e. IT and Network staff).
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
I found KeePass here in Code Project, and have been using it ever since. I think it is terrific :thumbsup::thumbsup: and have had no problems with passwords since I started using it. You should give that try.
-
MadGerbil wrote:
If you write a password management system and force people to change passwords every 30 days
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess. It is a valid level of security. You should be more than glad they don't make you change your password every week. And no, they are not bad people for doing this. No more as bad as the doctor who tells you to quit smoking. I agree it is frustrating, very much so.
If your password is compromised, then the hacker has 30 days to casually do what he wants and finish, besides changing the password himself. So what has that 30 day password change accomplished? Nothing. It might be effective if your account is put in a bucket and not bought and used for more than 30 days.
-
This means they are storing all your previous passwords. Do they guarantee you that their password storage is never going to be compormised?
They likely are only storing hashes of previous passwords.
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
Two Factor Authentication... And EMAIL Me when the SECOND Factor Fails, as well as the IP Address. Text me as well, and allow me to text back: BLOCK (and have it block the IP Address) I have an encrypted file with HUNDREDS of passwords stored. You know what PEEVES me... Companies who LIMIT the LENGTH of the password! Come on! The password gets HASHED, store the hash. Salt should be unique per account. I like to use: GUIDs + A word or two on each side. You CANNOT imagine the number of sites that won't even take a full GUID as a password. Everything should have 2FA... IMO... Then password security is less important. Also, some kind of internet blackhole for where these attacks come from. I used to see them attacking my server all the time, until I configured fail2ban to block on 404 and many other attempts. It took about 180 days before the hackers gave up and my banlist is reasonable.
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
My company does the same thing with corporate passwords, which we are required to change every 45 days. I therefore use the tried-and-true
{password}{punctuation-character}{month}and change it on the first working day of every month. The punctuation character changes annually.Software Zen:
delete this; -
I found KeePass here in Code Project, and have been using it ever since. I think it is terrific :thumbsup::thumbsup: and have had no problems with passwords since I started using it. You should give that try.
-
My credit union forced me to change my password but won't let me use a previous password. I don't know why I get irrationally angry over this - I guess I feel passwords are kind of personal and telling me that I cannot use an old one doesn't improve security at all and seems invasive. If I write insecure passwords changing guest1 to guest2 isn't an improvement. If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement. There is more B.S. superstition around password management than I can handle. One of the most boogered things in all of IT are password management systems. If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE. Because of this I need to take a hostage. I hope she's cute. :D
I keep all my passwords in a password manager program (PasswordSafe), with the encrypted data file stored on DropBox so I can get at it everywhere. This allows me to use unique strong passwords everywhere. With just a double-click, any password is put on the clipboard for easy pasting into the password textbox. Of course, that means there's one password I actually have to remember & type in myself, which means it's not particularly strong. So, of course, it's the most important --- the one to unlock my PC.
Truth, James
