New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste 148
isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
They want us to make it easier for them? (Score:1)
yeah
Re:They want us to make it easier for them? (Score:5, Insightful)
The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.
Re:They want us to make it easier for them? (Score:5, Insightful)
Re:They want us to make it easier for them? (Score:5, Insightful)
I have a simple password. I increment. I use the same one at both jobs. They're actually incremented to the exact same digit at the moment.
I doubt it's secure, but it allows me to avoid hassles.
Re: (Score:2, Insightful)
But that's the idea behind "frequent changing passwords a waste". I don't even know why changing your password is more secure than keeping a password. Normally you only get a limited amount of tries before your account gets locked anyway. So what does it matter when you keep the same password for the couple of years you use a particular service? And most service you keep for a longer time have better build in security anyway. Like the requirement to verify an e-mail when you log in on a new computer, or sen
Re: (Score:3)
Too similar (Score:5, Interesting)
They caught onto us at our workplace. Now passwords have to be significantly different by some secret algorithm and incrementing a number is not different enough. Of course, that just means people think up other schemes.
Re:Too similar (Score:5, Insightful)
"Think up other schemes?" No, they just start writing passwords down. Behavior becomes less secure.
Re:Too similar (Score:5, Insightful)
Re: (Score:2)
So go with minimum three word pass phrases, only three things to remember and you really run up the number of characters. It is not just three words to decrypt because you do not know word length, so the entire phrase must be decrypted. Even longer phrases really mean it is only one thing to remember the phrase but from the other side it can be 20 or more characters to solve, you can require even longer phrases, it is still really easy to remember.
Re: (Score:2)
Re: (Score:3)
Not necessarily. Most password change schemes require you to provide the old password and the new. They don't need to store the plaintext, you hand it to them with the new one.
Re: (Score:2)
2nd change: number++ & suffix & prefix. Vary as needed. Nothing written down.
I've been doing this successfully for ages. Easy to remember, produces reasonably high entropy passwords. But as has been pointed out, everything depends on how robust a system is that's storing it on the other side.
Re: (Score:2)
1st change: prefix & suffix & number 2nd change: number++ & suffix & prefix. Vary as needed. Nothing written down. I've been doing this successfully for ages. Easy to remember, produces reasonably high entropy passwords. But as has been pointed out, everything depends on how robust a system is that's storing it on the other side.
One kicker is the requirement for a nonnumeric nonalpha character, # or $ or whatever. The problem is that different systems have different sets of such chars that they will accept, and the intersection that all will accept is small, and therefore it's hard to avoid repeats. (I try to keep my passwords to my work system the same at any given time, since it's hard enough to remember even just one).
Re:They want us to make it easier for them? (Score:4, Interesting)
I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.
Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.
Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.
The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.
I left not long after that. I heard that he got fired a few years later, so at least there is a god.
Re: (Score:2)
I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.
Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.
Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.
The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.
I left not long after that. I heard that he got fired a few years later, so at least there is a god.
we just got yet another system added to our list of systems we need passwords for; this one expires after 90 days, with no warnings, and locks you out so you can't change it once it expires without going through the help desk. I think they'd be happiest if they could just keep everybody from accessing the system.
Re: (Score:2, Interesting)
Here's the problem in a nutshell:
When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.
So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever los
Re: (Score:2)
The This is what AD and LDAP are for. This at least reduces the amount of passwords to a manageable level, mainly to environments. Of course, there are exceptions [1], but in general, SSO tends to be useful.
It isn't NFC card access, but the closest thing that comes in mind for this was something Blackberry offered back in 2008/2009, where the Blackberry device could function as a CAC/PIV card via a Bluetooth adapter.
What I'd be happy with would be a card that took the place of both a SD card and a SIM, an
Re: (Score:2)
I hope there's not some serious vulnerability to KeePass that I haven't heard about. That little program is a lifesaver for me. Unfortunately, the Mac version is rekt so I can't run it on any of our Apple hardware.
Re: (Score:2)
Yeah, it should. I've been using KeePass 2.x for over a year and KeePassX won't import or access those databases. And, of course, KeePass 1.x won't read my 2.x database either, so I can't move it over.
I keep watching KeePassX for KeePass 2.x support. Then, I'm golden.
Re: (Score:2)
Wow, you mean something like the smartcard I've been using for the last 15 years? Yeah, we really need some new and (more) insecure technology.
Re: (Score:3)
Re: (Score:2)
Here's the problem in a nutshell:
When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.
So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever lost or stolen, I'd still be able to do work, but if one of those unique-cases came up, I'd have to lose the productivity then.
Other people keep passwords on stickynotes on their PC.
The problem, is, that passwords are bad.
With the advent of smartphones/watches, it should be possible to just start having PC's have NFC built into the computer screen, and placing the phone near the screen leaves the PC unlocked and all accounts accessible until the phone is moved two meters away from the monitor. Forget your phone at home? Did it get smashed? Then your boss can issue you a NFC ID card and temporary/permanently revoke the phone.
This also prevents password sharing because taking the phone or NFC card to another machine kicks out the previous login.
Good luck getting Google and such implementing a common NFC card access.
Here's the thing; when you forget your password, or it locks you out, you can just call the help desk, or go through some web page; and they ascertain your identity by a few different pieces of data; your social security number, your date of hire, your mother's maiden name, etc. So, basically, the insertion of a password into the chain of events grants you no extra security than just having you answer these questions when you want to log in. So come up with a slate of such challenge questions of which you h
Re: (Score:1)
Writing a passphrase down is not necessarily insecure. It depends on where you keep it and who your adversary is (if there is one).
Considerations and recommendations about passphrases only make sense in the context of their use and with the overall security system and its purpose in mind.
Re: (Score:2)
Writing a passphrase down is not necessarily insecure. It depends on where you keep it and who your adversary is (if there is one).
Considerations and recommendations about passphrases only make sense in the context of their use and with the overall security system and its purpose in mind.
every once in a while, a password writer downer realizes that instead of writing down the password they can write down the keys to the left of the actual ones in the password, or some such.
Or.. (Score:5, Insightful)
You memorize a single strong password for a key storage program like Keepass, and only bother with 1 strong password being changed at your recommended frequency. I can change all of my other passwords randomly as often as I want and don't need to remember them all. I keep the encrypted DBs on a Thumb drive in my pocket, and a backup in a safe.
While not perfect this setup is safer due to the lack of a keylogger picking things up. No system is perfect so I go for "better" and "best practices". I would much rather have a 20+ character password for my DB I change every 9-12 months than try and remember dozens and dozens of various passwords I have for everything else.
Oh, I should add that I use multiple databases for multiple purposes. I don't mix business and pleasure.
Re: (Score:2)
You memorize a single strong password for a key storage program like Keepass.
I've always wondered if the password storage programs are targets for attack and if so how secure they actually are. They seem vulnerable to keyloggers, for example, or password attacks on the master password.
Re: (Score:2)
You memorize a single strong password for a key storage program like Keepass.
I've always wondered if the password storage programs are targets for attack and if so how secure they actually are. They seem vulnerable to keyloggers, for example, or password attacks on the master password.
Yes they are vulnerable, and the people coding them know they are vulnerable. I won't used closed source code for that reason, it would be too easy for someone to build in back doors.
Everything is vulnerable to a key logger, which is why you don't use devices you are unsure of. Mid stream, the password manager is safer because it uses memory only, not input devices.
Re: (Score:2)
Hmm. Relevant XKCD https://xkcd.com/936/ [xkcd.com]
Re: (Score:1)
You should only be changing passwords when you think you might be compromised.
And your good password is good because it is unmemorable, there's no shorter way of remembering it. So it gets written down. After a while you can sort of remember it and after some time more, you CAN remember it. But if you ever have to change it, you have to write it all down again and relearn.
So your good password should only be used when you think the resource locked by it worth that.
Otherwise MAKE UP A WORD. ginwitfanstable.
Re: (Score:2)
If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password [...]
It depends. If you use the same password on multiple systems, then it's only as secure as the least-secure of those systems. If you never change it, for all you know, someone has compromised one of the weaker links in that chain and been able to log on as you for months or years.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
So what exactly can "they" do with my /. password?
Not much. But if your /. password is also your Citibank password, they can do a lot.
Password reuse is dumb, and they should not be saying it is ok.
Re: (Score:2)
I wonder if that's why they are saying "Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
Re:They want us to make it easier for them? (Score:5, Insightful)
They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
Re: (Score:2)
They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
If your bank hasn't provided you a token then find another bank. No excuse for forcing users to use using password logins at this point.
Re: (Score:2)
Makes sense (Score:5, Insightful)
The fact is, most of the accounts I have passwords for don't really matter. I don't give a shit if someone gets access to my slashdot account. Or if they get access to an old video game forum or two. So there's no reason to give those things really secure passwords. The things that need secure, unique passwords are your email, your bank/broker, and anything that would truly upset you if you lost access to. Give the rest some default password and stop caring.
Re: (Score:2)
Yeah, I think if I had to rate in order from most secure to least secure I'd have to say it's something like:
brokerage account
SSL certfificate account
bank account
steam account
gmail account
~~~
various forum accounts
~~~
slashdot account
electric company account (please break in and pay my bill for me!)
Re:Makes sense (Score:5, Insightful)
Your email account should be the top of the list as access to that typically allows someone to reset all of your other accounts.
Re: (Score:2)
You should have 2 factor auth on your email account, minimum. As you say, once someone is in there you are screwed.
Re:Makes sense (Score:5, Informative)
electric company account (please break in and pay my bill for me!)
You might want to move electric company account up the list. Utilities bills are often used as proof of address when verifying identity.
Re: (Score:2)
electric company account (please break in and pay my bill for me!)
You might want to move electric company account up the list. Utilities bills are often used as proof of address when verifying identity.
Since the article is talking about the UK guidelines here, check out this list [www.gov.uk].
Re: (Score:2)
When I recently opened a new bank account all they wanted was details of my other bank account, with another bank. I was moving my payments over anyway, but they didn't ask for any proof of ID. I did the whole thing online, the account was set up in minutes.
I wonder how much information I'd have to change, e.g. putting a different address on the new account, before they would start to worry...
that's what I do now. Better might be algorithmic (Score:5, Interesting)
That's what I do now, I basically classify things as low, medium, or high security. I don't want to remember a thousand different passwords and don't care to use a password manager for sites like Slashdot or other news sites I comment on. So low-impact sites all get the annual password when I register.
I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.
For a while I did something that might be better. I had an algorithm and a little utility program which generated a unique password based on my master password and the domain name. So something like sha1(mypassword, 'slashdot.org'). That gave me different passwords, without remembering them all, and without being tied to one specific password manager. I could "recall " my password on any device at any time. Actually, I chose an algorithm that I COULD compute in my head, though with considerable difficulty.
Re: (Score:2)
I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.
That's actually a nice idea
Re: (Score:2)
That's what I do now, I basically classify things as low, medium, or high security.
Me too so I set all my passwords to 'low', 'medium' and 'high' depending on security level so I won't forget which is which.
Damned websites keep complaining that my password has to be longer than three characters though - and I have no way to say 'but your site doesn't matter to me so three is just fine'.
Re: (Score:3)
Re: (Score:2)
Now imagine that one of those junk sites gets cracked. They now have:
1. your email address
2. your password for that site
3. the "security" answers you've provided
Using #1 & #2 they can try to access other sites to collect more of #3.
Have you used the same email address (#1) and security answers (#3) on critical sites? If so, they can potentially bypass the password (#2) that they do not have for those critical sites.
So, unique passwords AND unique email addresses (with unique passwords) for critical site
Re: (Score:3)
You provide real answers for security questions? That's you being fucking stupid. Just mash the keyboard.
Re: (Score:2)
That works until you need them.
Re: (Score:3)
Insert the "secret question" and its (made up) answer into the comment block. Then you don't have to bother to remember them, and there's basically no way to guess them, since they have no bearing on reality - "what was your first pet's name? Ford Prefect"....
Re: (Score:2)
Ford Prefect is unlikely to arise by mashing the keyboard.
And if you aren't using a password manager, or you didn't note down that your mother's maiden name was FHGFHGFHA?
Re: (Score:3)
If you meaningfully fill in the 'security answers', then you're already doing it wrong
Re: (Score:2)
My bank gets confused every time my answer to, "What's the first school you went to?" is "I don't know"
I have stopped using 'fuck off' as my mother's maiden name though. Even I found that one awkward over the phone.
Is that why.. (Score:2)
Re: (Score:2)
I have memorised 3 alphanumeric passwords which are the basis of all of my passwords. Basically I rotate two of those three passwords through all the crap I don't really care about. Worst case scenario is it takes me 2 log in attempts to get the right password on any given site
When it comes things I care about it gets all three passwords combined making a stupidly long alphanumeric that is really easy to remember.
This matches how people function (Score:5, Interesting)
If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.
(caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)
(extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)
Re:This matches how people function (Score:5, Interesting)
This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.
Re: (Score:1)
Another agreement here.
I work in the NHS and we have to change passwords on OS login and most applications every 28 days (passwords must be 8+ characters (IIRC), must contain at least one number amongst those and must also contain at least one upper case letter). This results in either a) people writing their passwords down and keeping them handy or b) using the same password every month and changing two digits to account for the month (I use option B as it should be marginally more secure, assuming our IT
Re: (Score:2)
This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.
Let me guess - you work at the white house supporting Hillary?
Re: (Score:2)
Re: (Score:1)
Re facial recognition. I worked in the video-surveillance industry for a few years, and video analytics, especially facial recognition, is a big joke. False positives render it near useless.
Password reuse? (Score:5, Funny)
Re: (Score:1)
Not to mention the Gawker hack victims.
I had dozens of sites I had to go change passwords on. Good thing I keep a list of what username/password combinations I use where, and the one I had used for Gawker was the one I use for "throwaway" comment board registrations.
Unfortunately, it was also very close to passwords I use for slightly more security, like work and email, so I had to change those, too.
Portable one-time key password generator .. (Score:4, Insightful)
Re: (Score:2)
that's how really secure systems get hacked, because the generals tend to attach it to the secure laptop case along with the key, making it a one stop security breach waiting to happen.
"it will never happen to me" - can't tell you how often it happened, walk into the insecure lunch area, grab the case, pop the top, use the hw device, and home free and they haven't even finished their first cup of tea or coffee. return it to them and they assume if you have a valid uniform you must be ok, nobody ever checks.
My bank is the worst. (Score:5, Insightful)
Must have a mix of upper case, lower case, numbers, and special characters. And it can't be any of my last eleventy-six passwords. "It's been a while since you've logged in from the mobile application. Please change your password." What the flying fuck?!? I just wanted to check my balance and now I have to change my password.
Re: (Score:2)
You could have the opposite. My bank requires a 6 character password no special characters and no capitalisation allowed with the username being printed on all your bankstatement. And with their new update once you have got access to the account you can transfer the entire balance of the account to anyone who has received a payment before. Their argument is that you needed to do an sms verification the first time, so that kid you paid to fix your pc? he can now receive the entire contents of your bank ac
Re: (Score:2)
The bank's response: How can a 4 digit number have capitals anyway?
Re: (Score:2)
What the flying fuck?!? I just wanted to check my balance and now I have to change my password.
I remember in the past some online banking sites did this right. You could log in to check balances with the basic password, but you'd need stronger credentials to make payments. Now they want me to use up numbers from the one-time pad both for the initial login, and again for the payment.
I understand the balance and transactions can be sensitive information to many people, but losing money directly should be a more immediate concern. As many other commenters are pointing out, the level of crypto should
Re: (Score:2)
For a brief period of time I thought Diceware style passphrases would be the answer but I found that a lot of places don't accept space characters in a password and as you observed, they all have random, undisclosed length limitations and the usual special characters requirement, Most of my low risk forum site passwords are based on one I was assigned about 15 years ago that had "good enough" length and was not guessable based on personal details like dog names and such.
Reflexive, symmetric, transitive... (Score:4, Interesting)
Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
Re: (Score:2)
Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
I am pretty sure (hoping) you are being sarcastic because that is not what the quote says at all. It is only ok to re-use a password when both systems have equivalent levels of data value.
To provide a car analogy: It is perfectly fine to use the same key for both my Toyota Corolla and my Ford Focus. However also using that key for my Aston Martin would be unacceptable.
Re: (Score:2)
Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
Funny but the re-use logic goes in both directions.
Re: (Score:2)
less password01? (Score:5, Insightful)
Does this mean I won't have to change my password from password01 to password02, password03 ect?
You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
Simple1! fulfills most companys password requirements.
If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
It will have to stop changing on a arbitrary basis.
Re: (Score:2)
6B=1X8Vg+Bxqfs=2oPEy
Isn't that the proof to Fermat's Theorem?
Re: (Score:2)
6B=1X8Vg+Bxqfs=2oPEy
Isn't that the proof to Fermat's Theorem?
It's also the combination to my luggage, dammit!
Re: (Score:2)
Does this mean I won't have to change my password from password01 to password02, password03 ect?
You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
Simple1! fulfills most companys password requirements.
If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
It will have to stop changing on a arbitrary basis.
At least some authentication systems can stop you from using a new password that is too much like your old password.
Re: (Score:2)
They have this at my employers and it has always worried me.
For this to work they'll have to store the password in clear somewhere so they can make comparisons.
If they used the conventional approach of passing the given text through a few iterations of SHA then even just bit difference in given passwords would make a huge change to the encrypted one - so how could they tell if the new one was similar to the older one?
Re: (Score:2)
They shouldn't be able to check against all your old passwords, but at least for the most recent one you generally need to enter both the old and new passwords together in order to implement a password change, to prove that you're the rightful owner of the account. Thus they don't need to have the old password on file to check for similarity, they can simply compare against what you just sent them.
Of course, a really secure system wouldn't include sending them the password at all—it should be used on
Re: (Score:2)
They have this at my employers and it has always worried me.
For this to work they'll have to store the password in clear somewhere so they can make comparisons.
If they used the conventional approach of passing the given text through a few iterations of SHA then even just bit difference in given passwords would make a huge change to the encrypted one - so how could they tell if the new one was similar to the older one?
By decrypting them? :-)
Re: (Score:2)
Yes, I have to use such a system. Yes, it's as awful as you'd think it to be.
Most rotated passwords are... (Score:3)
RootPassword!1
RootPassword!2
RootPassword!3
and so on.
you can trust your government's advice ! (Score:1)
This just in ...
Governments around the world agree; just use your name or '1234567'. It is estimated that governments (and taxpayers) will save billions on expensive technology used to decrypt worldwide communications. Garth Grunt (not his real name), representing an anonymous spy agency in an anonymous country says "Do the patriotic thing. Loosen up your security so that we can protect you better."
That's today's headline, now for the rumors behind the news...
Microsoft Research and Their Password Policies (Score:5, Informative)
The irony is that Windows Server defaults to having you change your password every 42 days. 8-9 times a year.
How do I know this? I studied for the Microsoft Security Test. They had one required book for studying and one recommended book for studying. The required book would help you pass the test. The recommended book was written by Michael Howard, Microsoft's top secure code specialist. In the book, Writing Secure Code, he would reference the research division's work. Basically the book said that everything on the test and the other book was wrong. I have taken courses in security which matched what Microsoft Research and what Michael Howard said. I would highly recommend reading Writing Secure Code, as even with taking courses on it, I learned a lot from that book.
For the record, I didn't pass the security test. I got 1 question "wrong." I don't know about now, or if the test still exists, but you used to have to 100% it.
I got a different password for every site (Score:5, Insightful)
Now I don't always remember it 99.9% of the times but what I do is have a pattern that I use to extract 4 letters from a sites name and use 4 or so selected 4 number combos which I combine into a password. At least it gives me different passwords for different sites.
Re: (Score:2)
Re: (Score:2)
Did you log in yet? I just got home so you had 2+ hours to log in.
Hunter239 (Score:2)
Indeed, I have reached Hunter239 on my password now. It sucks having to change it every week.
Bad idea. (Score:2)
Re: (Score:2)
most password breaches go undisclosed, not all 'crackers' are releasing their findings.
[citation needed]
Obligatory xkcd reference (Score:2, Informative)
https://xkcd.com/936/
A standard would be nice (Score:2)
Some sort of minimum security standard across the damn board would be greatly appreciated.
Set minimum password strength, length, type requirements. Set standards for hashing and storing login credentials, etc. You adhere to the standard and become certified to do business out on the web. No certification, no web business for you. Though, we sorely need the same standards applied to corporate networks that carry customer information as well. ( Eg: Home Depot, Target, etc )
Every site has different require
Not about security- it's shifting liability to you (Score:2)
With all the password hacks/cracks/thefts, my cynicism has led me to believe that password policies are not about protecting the user, they are about protecting the company. With every damn website and store loyalty program asking you to create an account, it's to the point of absurdity. But they tell you that you need to create a unique password, of course. The uniqueness is not there to protect the user, it's to protect the company from liability when their crappy data policies (storing passwords in plain
Probably the movies (Score:3)
The British seemed to take it more seriously, and be smarter about it. This is part of why their human intelligence generally seemed superior to ours. Today, the new British government seems keen on sacrificing the security of its people on the altar of the false religion of national security.
I think it's the movies.
British intelligence had a string of high-profile successes, culminating in dropping that evil guy into the smokestack [youtube.com].
At least, that's what the public was led to believe.
In the modern world, the internet has a way of making the reality of the situation more plain.
Perceptions change.
Re: (Score:2)
Hey! That's the combination to my luggage!