The no 1 irritation in security policies
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
The main reason I can see for doing this is to prevent old employees from hacking into the system. (Yes, when an employee leaves you delete their account, but they may have access to resources using passwords that may not be directly connected to their own Windows identity - for example someone else's password!) In the case of a bank PIN, it's different, as you never go away (you can't leave the company)
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
Chona1171 wrote:
Tech support constantly gets (I forgot my password or got locked out)calls
This should not be necessary. It is possible to set up systems where the users can reset their own passwords with saved security questions etc. I worked for a large corporation where we had this - it was set up precisely to save IT from having to reset passwords.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
Chona1171 wrote:
Tech support constantly gets (I forgot my password or got locked out)calls
This should not be necessary. It is possible to set up systems where the users can reset their own passwords with saved security questions etc. I worked for a large corporation where we had this - it was set up precisely to save IT from having to reset passwords.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
Yes some companies implement it , though it in itself poses a security risk. "What is the name of your dog" "your birthday" "your moms maiden name" "first childs name " all things that could be struck up in casual conversation for example it is a good idea but sofar I havent had a single answer giving any merrit to that policy yes what if someone gets your password - chances are he wont wait around for password expiry to kick in before he / she does the damage.
Chona1171 Web Developer (C#), Silverlight
-
The main reason I can see for doing this is to prevent old employees from hacking into the system. (Yes, when an employee leaves you delete their account, but they may have access to resources using passwords that may not be directly connected to their own Windows identity - for example someone else's password!) In the case of a bank PIN, it's different, as you never go away (you can't leave the company)
yes but take this then for instance guy goes away for 2 years , he tries to login , gets the chaneg your password screen and bobs your uncle he has the new password. funny thing is 4 years after leaving my old company I still have all their remote server ip logins and passwords with full admin access, and my fingerprint still opens the front door of their office. Good think i am not a phsyco out to steal their Intellectual property, but i shudder to think what could happen
Chona1171 Web Developer (C#), Silverlight
-
Hm, let's just provide a different example. Say you are a business owner / CEO for a multimillion-dollar company specializing in defense contracts. You know many of your employees are plain dumb and barely know how to use a computer. What do you do? You ease the life of your software developers and dumb employees at the cost of your reputation and possible disclosure of classified information, or you moderately hassle them through the password change system, and get to sleep much better at night?
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
Andrei Straut wrote:
Say you are a business owner / CEO for a multimillion-dollar company specializing in defense contracts. You know many of your employees are plain dumb and barely know how to use a computer. What do you do?
Improve your hiring habits... :doh:
The United States invariably does the right thing, after having exhausted every other alternative. -Winston Churchill America is the only country that went from barbarism to decadence without civilization in between. -Oscar Wilde Wow, even the French showed a little more spine than that before they got their sh*t pushed in.[^] -Colin Mullikin
-
When I was running a mainframe for Granada I had a password policy that forced a monthly change. (This was back in 1992, when dinosaurs ruled the Earth). After a few months I started receiving complaints. I shit you not, people were complaining that they had changed their passwords too often AND COULDN'T THINK OF ANY MORE! 1.1 Million words in the dictionary, and after about three months they had run out? I want you to know we are not talking low-level office fodder here, some of those complaining were senior managers. (I see none of you are at all surprised). Apparently, having to think of a word and remember it for 28-31 days was considered too difficult for these high-flyers!
--------------------------------- I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave CCC Link[^]
Dalek Dave wrote:
I want you to know we are not talking low-level office fodder here, some of those complaining were senior managers high-level office fodder.
FTFY
The United States invariably does the right thing, after having exhausted every other alternative. -Winston Churchill America is the only country that went from barbarism to decadence without civilization in between. -Oscar Wilde Wow, even the French showed a little more spine than that before they got their sh*t pushed in.[^] -Colin Mullikin
-
Andrei Straut wrote:
Say you are a business owner / CEO for a multimillion-dollar company specializing in defense contracts. You know many of your employees are plain dumb and barely know how to use a computer. What do you do?
Improve your hiring habits... :doh:
The United States invariably does the right thing, after having exhausted every other alternative. -Winston Churchill America is the only country that went from barbarism to decadence without civilization in between. -Oscar Wilde Wow, even the French showed a little more spine than that before they got their sh*t pushed in.[^] -Colin Mullikin
Colin Mullikin wrote:
Improve your hiring habits... :doh:
That would mean you can only hire 5.828% percent of the whole population (inside reference here[^]), and I doubt you have the budget to pay them, even for a multi-million dollar company. I am also only half-joking on this one
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
Colin Mullikin wrote:
Improve your hiring habits... :doh:
That would mean you can only hire 5.828% percent of the whole population (inside reference here[^]), and I doubt you have the budget to pay them, even for a multi-million dollar company. I am also only half-joking on this one
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
Andrei Straut wrote:
5.828% percent of the whole population (inside reference here[^])
:laugh: ... Nice job referencing your own joke. :thumbsup:
The United States invariably does the right thing, after having exhausted every other alternative. -Winston Churchill America is the only country that went from barbarism to decadence without civilization in between. -Oscar Wilde Wow, even the French showed a little more spine than that before they got their sh*t pushed in.[^] -Colin Mullikin
-
Andrei Straut wrote:
5.828% percent of the whole population (inside reference here[^])
:laugh: ... Nice job referencing your own joke. :thumbsup:
The United States invariably does the right thing, after having exhausted every other alternative. -Winston Churchill America is the only country that went from barbarism to decadence without civilization in between. -Oscar Wilde Wow, even the French showed a little more spine than that before they got their sh*t pushed in.[^] -Colin Mullikin
They were somewhat related and I just couldn't resist ;P
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
Hi Guys I would like to discuss the no 1 problem I see with the password expiration as a security policy. I have known it to exist in every enterpise based system i have ever used , and to only possible thing I can imagine it could possibly protect you from is brute force attacks but given that other policies are far more effective(3 failed login attempt lockout) what could possibly the merrit of a password exiration policy. Cons are as follow: Usually causes users to use weaker passwords or a small variation of what their current password is Tech support constantly gets (I forgot my password or got locked out)calls Users start putting their new passwords on sticky notes or write it on a piece of paper on their desks. If it where to defend against brute force there is always a change that the new password would speed up the attack by brining the password closer to the current location of the attack. I simply wish software developers start dicarding this completely useless policy from their systems!!!!
Chona1171 Web Developer (C#), Silverlight
I agree, for the most part it is kind of overkill. For example, our version control is password protected, but you could just walk in (door's not locked most of the time), take a hard drive from a computer, pop it in another computer and get access to almost current code as everyone has the code checked out anyways. (Though, this stops you from committing as someone else, which is probably a good thing.) But besides access to proprietary code, having access to my account won't give you anything of real value...worst you could do is send some emails as me, or submit a bug to the bug tracker (so dangerous! ;P ). So I really don't see a point in having that much security on my account. What makes this more annoying is just trying to think of a password that is complex enough to meet requirements, while still being able to remember it, so I don't lock myself out of my account from too many wrong passwords. :doh: