The no 1 irritation in security policies
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
Chona1171 wrote:
I simply wish software developers start dicarding this completely useless policy from their systems
You do realise that this is normally corporate policy, rather than developer policy don't you? Your first con is disingenuous because you wouldn't just use expiration on its own, you should combine it with policies relating to the strength of the password, e.g. no less than 10 characters, must contain 2 symbols which cannot be the same, combination of upper and lower case, etc....
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
Also, not all passwords are related to brute-force hacking. For those obtained via social engineering there is no brute-force attempt => no reason to lock a user out. Forcing the user to change their password at specified intervals would prevent a password obtained in this way to always work, of course assuming the hacker is stupid enough not to change it (EDIT: or grant himself a permanent way into the system), or the user is stupid enough to provide their new password again.
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
I have yet to meet a single developer who would voluntarily implement a security policy, ANY security policy. Generally it is an Enterprise or Client requirement and the developer will be sacked if it is not implemented or exposure to the internet forces a defensive implementation.
Never underestimate the power of human stupidity RAH
-
Chona1171 wrote:
I simply wish software developers start dicarding this completely useless policy from their systems
You do realise that this is normally corporate policy, rather than developer policy don't you? Your first con is disingenuous because you wouldn't just use expiration on its own, you should combine it with policies relating to the strength of the password, e.g. no less than 10 characters, must contain 2 symbols which cannot be the same, combination of upper and lower case, etc....
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
Pete O'Hanlon wrote:
Your first con is disingenuous because you wouldn't just use expiration on its own, you should combine it with policies relating to the strength of the password, e.g. no less than 10 characters, must contain 2 symbols which cannot be the same, combination of upper and lower case, etc....
Yes lets say it cannot be the same and with Needs uppercase and numeric as an example so from Password123 you can vary Password321 pASSWORD321 ect... Please dont think i am simply blowing smoke what I am talking about I talk about from personal experience. and if company policy at some stage an IT advisor actually recommended it.
Chona1171 Web Developer (C#), Silverlight
-
I have yet to meet a single developer who would voluntarily implement a security policy, ANY security policy. Generally it is an Enterprise or Client requirement and the developer will be sacked if it is not implemented or exposure to the internet forces a defensive implementation.
Never underestimate the power of human stupidity RAH
That also begs the question if this carried any merrit , what doesnt my bank ask me to change my pin code every 3 months or my internet login password. I mean what the boss says goes should go but if an employee is stupid enough to share his password with co workers he is most likely is violation of his conditions of employment.
Chona1171 Web Developer (C#), Silverlight
-
Pete O'Hanlon wrote:
Your first con is disingenuous because you wouldn't just use expiration on its own, you should combine it with policies relating to the strength of the password, e.g. no less than 10 characters, must contain 2 symbols which cannot be the same, combination of upper and lower case, etc....
Yes lets say it cannot be the same and with Needs uppercase and numeric as an example so from Password123 you can vary Password321 pASSWORD321 ect... Please dont think i am simply blowing smoke what I am talking about I talk about from personal experience. and if company policy at some stage an IT advisor actually recommended it.
Chona1171 Web Developer (C#), Silverlight
Hm, let's just provide a different example. Say you are a business owner / CEO for a multimillion-dollar company specializing in defense contracts. You know many of your employees are plain dumb and barely know how to use a computer. What do you do? You ease the life of your software developers and dumb employees at the cost of your reputation and possible disclosure of classified information, or you moderately hassle them through the password change system, and get to sleep much better at night?
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
The weakest link in ANY or ALL security protocols is the human being sitting at a keyboard. Famous Frankie Boyle sketch in which he explains about security. A Laptop had been left on a train the MOD's explained there were passwords in place. Boyle pointed out that this was rubbish as these guys were IT Nerds... "All you need to do is turn it on, type 'Gandalf' and you're in!" I choked on my cornflakes, for my password at work is..."Gandalf".
--------------------------------- I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave CCC Link[^]
-
Pete O'Hanlon wrote:
Your first con is disingenuous because you wouldn't just use expiration on its own, you should combine it with policies relating to the strength of the password, e.g. no less than 10 characters, must contain 2 symbols which cannot be the same, combination of upper and lower case, etc....
Yes lets say it cannot be the same and with Needs uppercase and numeric as an example so from Password123 you can vary Password321 pASSWORD321 ect... Please dont think i am simply blowing smoke what I am talking about I talk about from personal experience. and if company policy at some stage an IT advisor actually recommended it.
Chona1171 Web Developer (C#), Silverlight
Chona1171 wrote:
Password123 you can vary
Password321Most companies that I know have their policies exclude passwords that so blatantly use large chunks of previous passwords, and so what if they do? They also implement lockout procedures, so trying to brute force this is immaterial. The point isn't that a policy should exist in isolation, it's so that it sets a minimum set of standards that ensures that people don't just choose abc123 as their password - it's to force people to think about their passwords.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
-
Hm, let's just provide a different example. Say you are a business owner / CEO for a multimillion-dollar company specializing in defense contracts. You know many of your employees are plain dumb and barely know how to use a computer. What do you do? You ease the life of your software developers and dumb employees at the cost of your reputation and possible disclosure of classified information, or you moderately hassle them through the password change system, and get to sleep much better at night?
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
Yes but given my argument , does it carry any merrit at all then , better would be in that case to change the password with a random sequence every day , and hand each employee a sealed envelope with their codes every day they check past security. Or better yet the good old trusted fingerprint biometric login (requesting a random finger) (I know for web based systems it becomes a bit more complicated, but i have developed a nice clickonce app before that does it)
Chona1171 Web Developer (C#), Silverlight
-
Chona1171 wrote:
Password123 you can vary
Password321Most companies that I know have their policies exclude passwords that so blatantly use large chunks of previous passwords, and so what if they do? They also implement lockout procedures, so trying to brute force this is immaterial. The point isn't that a policy should exist in isolation, it's so that it sets a minimum set of standards that ensures that people don't just choose abc123 as their password - it's to force people to think about their passwords.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
When I was running a mainframe for Granada I had a password policy that forced a monthly change. (This was back in 1992, when dinosaurs ruled the Earth). After a few months I started receiving complaints. I shit you not, people were complaining that they had changed their passwords too often AND COULDN'T THINK OF ANY MORE! 1.1 Million words in the dictionary, and after about three months they had run out? I want you to know we are not talking low-level office fodder here, some of those complaining were senior managers. (I see none of you are at all surprised). Apparently, having to think of a word and remember it for 28-31 days was considered too difficult for these high-flyers!
--------------------------------- I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave CCC Link[^]
-
Chona1171 wrote:
Password123 you can vary
Password321Most companies that I know have their policies exclude passwords that so blatantly use large chunks of previous passwords, and so what if they do? They also implement lockout procedures, so trying to brute force this is immaterial. The point isn't that a policy should exist in isolation, it's so that it sets a minimum set of standards that ensures that people don't just choose abc123 as their password - it's to force people to think about their passwords.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
Pete O'Hanlon wrote:
choose abc123 as their password
Will please NOT publish my password on the interweb
Pete O'Hanlon wrote:
use large chunks of previous passwords
I have a counter in my password, it is up to 68 :-O
Never underestimate the power of human stupidity RAH
-
The weakest link in ANY or ALL security protocols is the human being sitting at a keyboard. Famous Frankie Boyle sketch in which he explains about security. A Laptop had been left on a train the MOD's explained there were passwords in place. Boyle pointed out that this was rubbish as these guys were IT Nerds... "All you need to do is turn it on, type 'Gandalf' and you're in!" I choked on my cornflakes, for my password at work is..."Gandalf".
--------------------------------- I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave CCC Link[^]
Wow. . . . yes it would be great to see stats of certain movie character being used by IT Geeks Mine on the other hand is a combination of a windows 95 prod key first sequence - 2 special characters - windows xp prod key first sequence - 2 special characters and 5 characters of PI and the website that I have accessed initails in capitals (Code PRoject - CP , Facebook - FB) leaving me with 21 character aplhanumeric special character and Capital sequence :)
Chona1171 Web Developer (C#), Silverlight
-
Yes but given my argument , does it carry any merrit at all then , better would be in that case to change the password with a random sequence every day , and hand each employee a sealed envelope with their codes every day they check past security. Or better yet the good old trusted fingerprint biometric login (requesting a random finger) (I know for web based systems it becomes a bit more complicated, but i have developed a nice clickonce app before that does it)
Chona1171 Web Developer (C#), Silverlight
While that is true, it still doesn't change the fact that users are still dumb, some of them will use the envelope and others won't know what finger they're supposed to scan. The point is, you'll always introduce more complexity and user hassle while introducing better security. The point is to simply decide how far you want to go with your security procedures, and whether they are worth it. I have no idea whether it would be possible to enhance security without enhancing your users as well - as said before, humans are (mostly) always the weakest link in the system.
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
The main reason I can see for doing this is to prevent old employees from hacking into the system. (Yes, when an employee leaves you delete their account, but they may have access to resources using passwords that may not be directly connected to their own Windows identity - for example someone else's password!) In the case of a bank PIN, it's different, as you never go away (you can't leave the company)
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
Chona1171 wrote:
Tech support constantly gets (I forgot my password or got locked out)calls
This should not be necessary. It is possible to set up systems where the users can reset their own passwords with saved security questions etc. I worked for a large corporation where we had this - it was set up precisely to save IT from having to reset passwords.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
Chona1171 wrote:
Tech support constantly gets (I forgot my password or got locked out)calls
This should not be necessary. It is possible to set up systems where the users can reset their own passwords with saved security questions etc. I worked for a large corporation where we had this - it was set up precisely to save IT from having to reset passwords.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
Yes some companies implement it , though it in itself poses a security risk. "What is the name of your dog" "your birthday" "your moms maiden name" "first childs name " all things that could be struck up in casual conversation for example it is a good idea but sofar I havent had a single answer giving any merrit to that policy yes what if someone gets your password - chances are he wont wait around for password expiry to kick in before he / she does the damage.
Chona1171 Web Developer (C#), Silverlight
-
The main reason I can see for doing this is to prevent old employees from hacking into the system. (Yes, when an employee leaves you delete their account, but they may have access to resources using passwords that may not be directly connected to their own Windows identity - for example someone else's password!) In the case of a bank PIN, it's different, as you never go away (you can't leave the company)
yes but take this then for instance guy goes away for 2 years , he tries to login , gets the chaneg your password screen and bobs your uncle he has the new password. funny thing is 4 years after leaving my old company I still have all their remote server ip logins and passwords with full admin access, and my fingerprint still opens the front door of their office. Good think i am not a phsyco out to steal their Intellectual property, but i shudder to think what could happen
Chona1171 Web Developer (C#), Silverlight
-
Hm, let's just provide a different example. Say you are a business owner / CEO for a multimillion-dollar company specializing in defense contracts. You know many of your employees are plain dumb and barely know how to use a computer. What do you do? You ease the life of your software developers and dumb employees at the cost of your reputation and possible disclosure of classified information, or you moderately hassle them through the password change system, and get to sleep much better at night?
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
Andrei Straut wrote:
Say you are a business owner / CEO for a multimillion-dollar company specializing in defense contracts. You know many of your employees are plain dumb and barely know how to use a computer. What do you do?
Improve your hiring habits... :doh:
The United States invariably does the right thing, after having exhausted every other alternative. -Winston Churchill America is the only country that went from barbarism to decadence without civilization in between. -Oscar Wilde Wow, even the French showed a little more spine than that before they got their sh*t pushed in.[^] -Colin Mullikin
-
When I was running a mainframe for Granada I had a password policy that forced a monthly change. (This was back in 1992, when dinosaurs ruled the Earth). After a few months I started receiving complaints. I shit you not, people were complaining that they had changed their passwords too often AND COULDN'T THINK OF ANY MORE! 1.1 Million words in the dictionary, and after about three months they had run out? I want you to know we are not talking low-level office fodder here, some of those complaining were senior managers. (I see none of you are at all surprised). Apparently, having to think of a word and remember it for 28-31 days was considered too difficult for these high-flyers!
--------------------------------- I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave CCC Link[^]
Dalek Dave wrote:
I want you to know we are not talking low-level office fodder here, some of those complaining were senior managers high-level office fodder.
FTFY
The United States invariably does the right thing, after having exhausted every other alternative. -Winston Churchill America is the only country that went from barbarism to decadence without civilization in between. -Oscar Wilde Wow, even the French showed a little more spine than that before they got their sh*t pushed in.[^] -Colin Mullikin