- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Hardly. Enforced password changes are a classic piece of cargo cult. Everyone does them because everyone does them, not because they understand why they are doing them. They don't improve security. In fact they probably decrease it.
The one time regular enforced changes are sensible is when a code (such as an access code on a door) is shared among several people. Otherwise not.
Admin
In case you were wondering, that was sarcasm.
Admin
I happen to agree. Frequent password changes force people without an extremely good memory to write down every password and what application the password is supposed to access. Written-down passwords, as a previous poster said, is one of the most glaring security risks there is.
Admin
Um, no. My friend rents an office in a *large* building. The building has rent-a-cops sitting at the front desk. THEY were the ones who broke in and stole the stuff. Not my friend's employees, but still...
Admin
Thank you! Danke schön! About time someone says something about. We are all nerds here, something redundent like PIN number and ATM machine shoudln't even be in our vocabulary...!
Admin
And the password for passwords.xls is: dilb3rts
Admin
The place I work in must be extremely anal about passwords. They have the usual 90-day change policy, but I have no less than 7 different passwords (one for each of the 7 different systems that all have different password requirements (upper/lower/number/with[out] special chars/min-max len). Then, all seven systems keep track of the last THIRTEEN passwords so you can't duplicate them.
Admittedly, I memorized just the main system's password. Then I have a NOTE in Outlook with all of the passwords, written in what is obviously a hint to me, but will mean nothing to anyone else.
Of course, all seven login names are different too, so they're in the note as well.
I do NOT look forward to my 90th day on this job when I need to rotate 7 passwords 13 times. *sighs*
Admin
I can absolutely see this happening. The company I used to work for required us to give the operations manager our passwords. I flat out told her no in an email. I got called in to my supervisors office and told that she thought it was rude and what happened if someone needed to access my emails when I was not there? I told him that's what the admin account was for and if his sysadmin didn't know how to access it I'd be happy to show him. However, I was not giving my password to anyone so they could write it down or store it in a file. Kind of defeats the point of the password. They still got angry, so I made up a password and gave it to them. Never occurred to them that it wasn't the right one.
Admin
No, but 55 / (55+30) ~ 60% (as the OP claimed).
Admin
Not before it has been printed, faxed to the next room, placed on a wooden table ,photographed, scanned and added to the company's website to prove their security methods to potential clients.
Beanbag girl and Foosball girl are the same chick, only in different modes.
Admin
I like that, making up a password for them. We do have to give copies of our safe combinations to our group office, but those are sealed in envelopes, and must have two people present both to open the envelope and then to open the safe, in case of emergencies.
Where I work, we have security posters up that emphasize to us the importance of not sharing our passwords with anyone. We could probably have security escort out anyone that tried to demand a password from someone.
For the mundane office work that requires a password (such as entering our time), we have smartcards. Most of us have two smartcards: One for the open network, and one for the classified network.
Admin
Regular password changes are not always the best thing to do. If you require password changes too often, people indeed start to write them down and slip them under the keyboard.
You change passwords when you have evidence that a password leaked out. E.g. a sys admin leaving means you change all sys admin (root, etc.) passwords. An employee leaving means you block all his/her accounts. A normal employee leaving who had access to a shared account with a shared password (bad!) means you change the shared password. A contractor leaves who had access ... you know the drill.
Monitor account usage. If things look normal, if nothing happens, you don't require to change passwords. If you see strange access patterns, require a password change.
Admin
Admin
At my last sysadmin job, I got the label maker and put two incredibly bogus passwords on the bottom of my keyboard. I wonder if anyone ever tried them...
Admin
Floppies? FLOPPIES?! We had to toggle in the boot strap on the front panel of the machine, only later we got a punched tape system to load our programs and data off of!
Young people these days. *hrumph*
Admin
</font></font>
Admin
There's a nice mental picture.
Admin
Admin
Actually the theory behind frequent password changes is that if someone steals the file with all the hashes, you get to change them before he can rip them. Of course the practice is writing it onto sticky notes or use the same password for every system or use a sequence your policy doesn't check against.
Admin
So is 3/5. Coincidence?
Speaking of penetration by outsiders and the mental picture of foosball girl on top of beanbag girl. ..
Admin
On one of our systems we have a truly evil policy: passwords expire after 30 days but the mandatory minimum delay between two consecutive password changes is ... drumroll... yes, 30 days.
Admin
Because no real company would have such a brain-dead password changing scheme, I must conclude that this is all an elaborate phishing scheme designed to gain access to Brian K's commonly-used passwords. When he goes in on Thursday he'll find that the office has been stripped bare and his bank account is empty. Only then will he realize that all of the other employees were simply actors in a fabricated reality, a la "The Prisoner".
Admin
This reminds me about a bug (or undocumented feature) I found a short while ago from one web-based system. When logging into the system, it only checks the first 8 characters of the password. If your password is longer than 8 characters, the rest of the characters can be anything or missing.
I'm just a regular user of the system, so I can't access the source code, but I believe that somewhere in the database there is a field called <font face="Courier New">`password` varchar(8)</font> instead of storing a hash of the password.
Admin
To all new employees:
please write your password down, and place it under your keyboard. After your work, we will take it, and set your new password in all of our systems.
Admin
What's wrong with using an ATM machine? Beats using an Ethernet machine!
Sorry, will go back under rock now.
Admin
I have to tell this to my users often. Fortunately, I only have about three of them.
Admin
I worked for a company this bad once. The IT manager was completely incompetent - a fresh grad who magically found his way in to the job. He insisted on keeping everyones password in a file "just in case".
What's worse the guy couldn't type - he would hunt and peck one key at a time
My department were so utterly frustrated with this policy that I later found out that one of my guys changed his password to "thequickbrownfoxjumpsoverthelazydog" just for the satisfaction of the corresponding mental image... ....t.....h......e......q.......u......i... (you get the idea)
Admin
This could well be a system using the basic Unix crypt() function, that (if not patched) only works on the first 8 bytes.
Admin
Hate to nit pick but WTF is with "pin number" thats like saying personal identification number number, its as bad as ATM machine.(just one of my pet hates)
Anywho, I would love to work for this place, you could use the payroll officers username to change your pay. : )
captcha: perfection LOL
Admin
How about "Windows 2000, built on NT Technology"
Admin
When I get in the right mood, I'll prod stupidity like this with a stick until it dies or I get bored... in this case I forsee the following exchange:
Me. My new password should be "aaaaaaaa"
Them: Inappropriate. Please mix the case.
Me: But you said "it may include upper/lower/number". You didn't say "must".
Them: It must include upper/lower
Me: Make it "Aaaaaaaa"
Them: Please include numbers too.
Me: Make it "Aaaaaaa1"
Them: Inapproprate. Too easy to guess.
Me: No it's not. It's hard to guess. You'd never guess it in a milion years.
Them: Just change it.
Me: "Aaaaaaa2"
......
I could keep this going for weeks if the mood struck me and they were persistent enough.
Admin
Brought to you by the Department of Redundancy Department.
Admin
My old Uni system had an automated password robustness checker, had to have a mixture of upper and lower case, numberals and special characters with no dictionary words, minimum 7 characters I think. All nice, got me in the habit of using strong passwords, except a friend of mine discovered that the password stored by the system used 8 characters, while the robustness checker checked the entire string.
So your new password could be set as "aaaaaaaaaa123#$#ADK" and get through, but to log in you'd only have to type "aaaaaaaa"
Admin
This is probably a good time to introduce "proof of concept" on the wooden tabletop *security* scanner.
1) Start with a micro-smooth sanded, unfinished wooden table top. ( the master table )
2) Coat it generously with a ( secret formula ) transfer solvent.
3) Place all the security document print-outs *FACE DOWN* onto the wet table top.
4) 'Take and put' a rug on top of that.
5) 'Take and put' rocks on top of that.
6) Wait a month.
... Time passes...
-) Remove the rugs -n- rocks revealing the ( reverse image ) master table
7) Get another fresh micro-smooth sanded, unfinished wooden table top. ( the transfer table )
8) Coat it generously with ( the secret formula ) transfer solvent.
8) Also re-coat master table top generously with ( the secret formula ) transfer solvent.
9) Up-end the master table top and place it directly ( top to top ) on top of the transfer table.
10) 'Take and put' the same rocks on top of that. ( rock re-use )
11) Wait only a few days. ( timimg is critical ) . Don't let the two tables 'bond'.
... Time passes...
12) Separate the table tops. ( typicall known as transfer separation )
....For security purposes ( this topic is about security )
13) Burn the the master table.
14) Wrap the rug around the the transfer table and bury it. ( rug re-use )
15) Mark the burial spot with the rocks ( more rock re-use, this is good, yes? )
... Time passes...until the next security audit
16) Dig up the table for admin purposes.
....For added *EXTRA* security ( this topic is about security )
17) Burn the rug and bury the rocks.
Of course this technology will become public knowlege,
so the real money will be with the consumables...( the secret formula ) transfer solvent.
Admin
Is this the same Brian K as Brian Keron from Volition?
Admin
So what am I supposed to say then, PI number, AT machine? Sounds kind of WTF if you ask me.
Admin
How about "PIN" or "ATM"?
Admin
The real WTF is that some people have to write a frickin' essay instead of a quick comment!
Nobody bothers to read your crap, so don't bother posting it. Do you think it makes you smarter if you type more? Losers!
Admin
I said a hip hop the hippie the hippie
to the hip hip hop, a you dont stop
a rock on, pretty bubba to the boogity bang, bang,
the boogie to the boogity beat!
Admin
Admin
Hey, I do that every day at 10 am in the morning daily.
Admin
Admin
OMG god! WTF f*ck!
Admin
</font>
Admin
D*mn you! Now I got to find a new place to store my password..!
Admin
Is it? I've yet to meet the hacker who can remotely read a post-it note in my desk drawer.
--
Colin
Admin
Reall, post-it-note in the (locked?) drawer next to your computer is not that insecure. It's pretty much a given that physical access = pwnage, so IMO the only thing a password will give is system-wide network access, which any half-decent hacker with access to a connected/trusted machine will be able to get for himself anyway.
Still, it'd be nice for the hack that came from my computer to NOT use my password and login, too. :)
Admin
This is true. But I've yet to meet a Sysadmin who could tell me that. And, as you probably know, the policy originated a long time ago on systems with relatively primitive security. Nowadays, if you set up a system properly, the only people who can get at the hash file already have admin rights, so it's an uncommon way of obtaining passwords.
Precisely. (And actually I've not yet encountered a system that checked for sequences anyway.)
Admin
How does the envelope know how many people are present?
Admin
There is a remote system that I log into regularly that runs SunOS 5.9, and it does the same thing. The sysadmins recently upped the password requirements to include odd symbols, numbers, etc., which I added...after the 8th character. I had assumed this was a localized problem, however. Good to know that it's more common than I thought.
Also, at work, our various passwords are dictated to us, and don't seem to ever change (been working there a couple years and they haven't changed yet)....and there's no way for us to change them.
Captcha = Quality