- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
You mean
Password-1 Password-2 Password-3 ...
These rules practically guarantee that people will start to use patterns (and yet are very common). Maybe we should have "no common sub-strings of more than 2 characters", instead of "no repeats"
Admin
The best laid schemes o' mice an' men...
Admin
Really?
I find quite the opposite.. you can depend on it.
Admin
Or how about something like making a very secure password in the first place, and not making users change it every N days? I'm sure if you give even a new person a password of Iwkrds*(4kSY73o)(383, they'll remember it eventually (give them a month or two).
Forcing users to change secure passwords and make new secure passwords just encourages them to choose weaker, easier to remember passwords, follow a pattern, or write the damn thing down. Let them make a really secure password and have them change it really infrequently, and you'll find those passwords are more secure, longer, and won't be easily guessed (bonus points for trying to crack them and making those whose are too easily guessed change them to something more secure).
Sometimes IT policy ought to step back and examine the intentions. Changing passwords every X months ends up leading to insecure passwords as users have to write them down (the instant they get comfortable with them, they have to change 'em), choose insecure pattern ones, or other stuff. But give them a really complex one that they can't change, and they'll find muscle memory and such means they don't forget it/write it down/etc. Is one secure password string that doesn't change over 5 or 10 years better than a changed password every month? After about 6 months, it probably will be.
CAPTCHA: gygax. Cool!
Admin
Ah, yes. Core Memory. Turn the machine off, ship it across the country, and turn it on. The hardware cycles through and you start setting type. -- 1976, a mergenthaler VIP typesetting machine -- long before Adobe and Truetype.
Xenon strobes and photographic paper, darkrooms and the such, and "programming" a 16K memory minicomputer. Those were the days.
My introduction to all this was learning how to visually read the TTS paper tape.
Admin
One of the reasons for following this blog, is that every once in a while, someone comes out with something that just makes incredible sense. Being asked to change a password to "something completely different" every 40 days is completely retarded.
Admin
I find myself wondering, as the project manager for an open-source IBM mainframe emulator, just what emulation environment they set up.
It is possible to bypass security on IBM's mainframe OS from the 1990-2001 era, but it's a royal pain in the butt.
Admin
[quote user="bramster"][quote user="Worf"][quote user="Alchymist"][quote user="snoofle"]Having thought about it for a few minutes, I wonder if they also require byzantine password change rules (you know, 8+ characters, mixed case, at least one digit and at least one non-alphanumeric symbol, changed every month with no repetitions for at least 13 months)? Should make getting this guy up and running more interesting...[/quote]
You mean
Password-1 Password-2 Password-3 ...
These rules practically guarantee that people will start to use patterns (and yet are very common). Maybe we should have "no common sub-strings of more than 2 characters", instead of "no repeats"[/quote]
Or how about something like making a very secure password in the first place, and not making users change it every N days? I'm sure if you give even a new person a password of Iwkrds*(4kSY73o)(383, they'll remember it eventually (give them a month or two).
Forcing users to change secure passwords and make new secure passwords just encourages them to choose weaker, easier to remember passwords, follow a pattern, or write the damn thing down. Let them make a really secure password and have them change it really infrequently, and you'll find those passwords are more secure, longer, and won't be easily guessed (bonus points for trying to crack them and making those whose are too easily guessed change them to something more secure).
Sometimes IT policy ought to step back and examine the intentions. Changing passwords every X months ends up leading to insecure passwords as users have to write them down (the instant they get comfortable with them, they have to change 'em), choose insecure pattern ones, or other stuff. But give them a really complex one that they can't change, and they'll find muscle memory and such means they don't forget it/write it down/etc. Is one secure password string that doesn't change over 5 or 10 years better than a changed password every month? After about 6 months, it probably will be.
CAPTCHA: gygax. Cool![/quote]
This is silly. Writing your passwords down is not a bad thing! Unless you have building security that just allows the public to walk in and out as they please at any time of the day. And if someone can get in and steal or read a bit of paper with the password on it, then they can get in and do more damage than that, or even just steal the whole machine and break the password slowly in their own time.
That said, where I work, they keep all of the backup tapes in a heap next to the file server, which is in the corner of the office. If I wanted to "defect" to another company I could pinch a tape and just hand it over. Not to mention what might happen in a fire, for instance.
Admin
Any chance it was a DEC PDP-8?? Anychance it still exists? If so, I am interested in making sure it gets preserved. It is easy to find my real identity by a google on my handle....