- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
ok, I'm sure someone will miss the meaning behind my last comments, so I'll give examples, both of which actually happened.
A guy shoots himself in the foot. Not ironic. The guy was a gun safety instructor giving a lesson at the time. That's irony.
A government agency lays off a bunch of people due to lack of work. Not ironic. The agency was the unemployment office. That's irony.
Admin
"The use of words expressing something other than their literal intention" - now THAT is irony.
-- Bender
Admin
Not exactly, that could just be a double entendre, not irony. Remember irony is the perceived juxtaposition of the intended meaning and the actual meaning. So irony is always noticed by the observer.
Admin
http://www.m-w.com/dictionary/irony
read it. then STFU about the definition of Irony.
Admin
Admin
My company may hold the record for most Gestapo-style password requirements (every 60 days):
The policy may say "for your security", but it guarantees post-it notes all around.
Best security was my university - they ran your proposed password through at least one cracking program. If it was easily cracked (I don't know the criteria) it was rejected.
Admin
And when they start badmouthing you for designing a lousy, insecure system, STFU too.
Admin
I remember that - then he says at least he can read the large print and his eyes fall out, then he's limited to the braille section but then his hands fall off.
Or was that futurama?
Admin
And the accountability is enforced how?.. If everyone has the same password you can just sign in as someone else if you're planning to do something bad purposely, or even when you're just starting the day with a bad hangover and know you're going to screw up.
Admin
Plus unless you're using extremely naive algorithms to measure entropy, those requirements all reduce the strength of the password.
my passwords under that policy would be
abcdefg1 bcdefgh2 cdefghi3 defghij4 and so forth in that manner. because then at least i wouldn't have to write it down.
Admin
Funny topic, as just a few weeks ago I wrote a blog post on how the lyrics to the song "Ironic" really isn't about irony. Yes, I know, it's shameless self-promotion, but here's the link:
http://www.alphabetsoupfamily.com/blogs/archive/2007/05/22/24.aspx
It's a coincidence that this post and my blog post are related in such a timely manner, but it's not ironic.
Jeff
Admin
D'oh! If I'd previewed, I'd have realized it wasn't a link. So being the attention whore I am, I'm posting it again, actually as a link!
Jeff
Admin
Admin
Spousal authorization would only work in some infamous parts of the world, I would think...
Admin
Taking into account only these two requirements, roughly thirty percent [! - even I didn't expect it to be THAT high] of ten-character random alphanumeric passwords are rejected. That's a thirty percent reduction in the search space for any attacker. 33% of nine-character and a whopping 36 percent of eight-character passwords are rejected. Even more if the double letter requirement is case insensitive: 34, 37, and FORTY percent of 10, 9, and 8-character passwords are rejected. That's almost an entire bit of entropy lost (a random alphanumeric character provides just short of six bits)
Addendum (2007-06-13 17:07): EDIT: Adding state to simulate the "no same character in same position as previous password" rule, the rejection percentages come out to about 48, 49 and 50%.
Admin
But adding the state doesn't help the hacker as he would have to know the previous password in order to use it. As it does reduce things further over time, the overall pool of possible passwords remains the same.
Admin
Yeah, it's amazing people still stand by the "cycle your password every X days" crap.
You know, most people remember even the most complex random-number/letter/capitals/punctuation password over time. Eventually, they'll have it memorized (normally takes anywhere from a week to a month). At which point, their passwords are very security complexity-wise, only that some idiot policy makes them change it shortly thereafter. Now they're stuck with a new password, which they have to write down because there's no way they can remember it! (And it lowers security, because if they know they can't remember it, they'll choose less secure passwords).
Sometimes it's better to let a more secure password linger for years than to have people change it every couple of months (in which case they'll choose much less secure ones).
Unfortunately, it's a positive feedback system. Users pick more easily memorable passwords because they're fed up memorizing/writing down their old ones, policy holders see post-its/less secure passwords and decrease the password lifetime...
Admin
Admin
Admin
Admin
Admin
Admin
Admin
Admin
Once upon a time, this made a lot of sense. Passwords on some systems (i.e. old Unix systems) used to be stored using a relatively weak hashing algorithm in a world-readable file. So when you changed your password, you had a window of a few months during which your password could be presumed "safe", after which, you really should change it. Unix systems eventually went to shadowed password files, but Windows reintroduced the same issue with the Windows password hashing system in the LAN manager days.
Today, this is less justifiable. But there is still some logic to it. If you have a means of login that does NOT lockout accounts with N failed logins, then it's possible for an ehaustive search attack to find your passwords, unless you periodically change your passwords. There is also always the chance that your passwords have been compromised via a one-time attack, which wasn't detected; periodically changing passwords limits the damage that the attacker can do.
Admin
regarding the Alanis Morissette song Ironic -- is it not true that only one subject of what she was singing qualifies (possibly) as irony, while the rest is something else .. should be renamed to "!Ironic" or alike
Admin
Well, I (and I don't think my wife does either) don't really care about the song, just Alannis Morissette's stupidity. Actually, I don't even care about her.
But apparently myself and a lot of other people care about commenting about not caring. :p
Admin
.... Shudder .....
Admin
Yeah, and if we enforce security the lusers run to their PHB and lie that they cannot work because of the new password rules.
Admin
If they are that serious about security then they would accompany the above mentioned password measures with physical workplace security reviews held well after working hours: check every workplace by experienced security personnel (or a PI specialized in things like that) and somebody from HR called in just before the review, document every security violation (photo) and then fire a few violators "pour encourager les autres".
Admin
That only works if you have the specs in writing. Do you really think that users like that would write everything down - no way. A dorky "requirement" (and I am using the phrase in the widest possible context) would almost naturally be verbal. And then you have to decide what to do: (a) refuse to do it until they give to you in writing. If you are an employee then can just order you to implement it eventually (user PHB runs to IT PHB and complains, IT PHB gives a direct order - works every time). (b) do it, and report in writing to your IT PHB and get the PHB to sign along with date received a written copy of the report. Then it is the PHB's problem and you have your own CYOA document (keep it at home in pastic becuase of the PHB's fingerprints and a scan of it in your computer files) so that when they raid your desk/cubicle to get at it they don't have a chance).
Admin
Admin
Agreed. I find that password policy makers and users need to meet half-way. I don't expect a small company user to have a overly complicated, constantly changing password in a non-essential local app, but it grates on my nerve when I see them use 12345. My usual suggestion is to use the first letter of each word in a random phrase (ie to be or not to be, etc) which is both memorable and makes a semi-decent password. Most times though I get blank stares and requests for a 3-letter password, which needless to say is used by the whole office.
Admin
I'm not sure that Ms Morissette had much in mind at all. However, wouldn't it be more ironic (given the superstition) if it didn't rain on your wedding day - the agony of seeing such a beautiful day and knowing it was unlucky? Or perhaps the true irony lies in the fact that her song contained nothing ironic, yet was called 'Ironic'? Maybe that was her intent? = Recursion!!
Admin
This is like IIS (MicroSoft Internet Information Server)... if you disable anonymous FTP (which is enabled by default) you're prompted with the warning that sending passwords across the internet isn't secure and that you'd better leave anonymous FTP on unless you really don't want it...
Coditor
Admin
The only case that makes sense is that passwords tend to be diffused/spread to other people. Which is bad: how many people would change their password by themselves, even after they gave it to anybody? Still, this is completedly overshadowed by the classical post-it consequence of mandatory changes.
You might also have the dreaded expired account (the person has left) but the account has not been removed (which is stupid of course).
Admin
http://www.collegehumor.com/article:1711139
I decided to forgive Alanis for "Ironic" the day I saw the video of her cover of "My Humps".
Admin
-
-
-
The policy was drafted by a clueless PHB who probably asked IT to spare him so he could keep his own "12345".Max 10 characters? What? If anything, that makes it more predictable, because you know the calculation time. I guess this was a compromise because Doris at marketing couldn't remember hers for 4 times in a row.
No double letters? Yeah, because whatever's in good password can be used as a hint to look for the next letter. Brute force doesn't work that way.
No repeating? Combine this with the 60 days policy and you'll get incremental passwords like lion1234, puma2345 etc.
Actually, Post-It notes are the best way to push the idiots in charge of this to a better solution. Just invite one to come with you and make a roundtrip at the keyboards - if you can show you can compromise 80% of the workforce's system thanks to their stupid measures, I think you may have a point. Don't do this by yourself - such a security "audit" means getting fired.
Good luck.
Admin
Why would you want to change a password when you find one of a pair of knee-length trousers? Oh, I see, it is if you find some buttocks --- or a baby about to be born the wrong way round. Then of course you do...
Admin
Admin
Admin
Or you could always just set up a temporary path to the user's machine and get the files that way.
Admin
What you saw was the parody of the actual episode. In the Twilight Zone episode his glasses break and that's the end. Your version was most likely from either the Simpsons or Futurama.
Admin
Yeah, predominantly in the bible belt of the US. ;)
Admin
If they're serious about security at all, they'll hire someone to tell them they shouldn't be cutting the number of possible passwords in half.
Admin
you know, you can simply say "hey, can you email that request to me because I'll never remember it." I used to do that where I worked before as a C.Y.A.
Now, thankfully, we have a work request system where any changes have to be submitted to that and approved by the requestor's supervisor. It then gets estimated and goes through a further approval process. Any changes that are more urgent (such as data fixes) are done and then the request is submitted.
I like this system much better.
Admin
Admin
good one :)
Admin
Or like my new job.