Frequent Password Changes Are the Enemy Of Security, FTC Technologist Says (arstechnica.com) 211
Though changing passwords often might seem like a good security practice, in reality, that isn't the case, says Carnegie Mellon University professor Lorrie Cranor. Earlier this year, when the Federal Trade Commission tweeted that people should "encourage" their loved ones to "change passwords often," Cranor wasted no time challenging it. From ArsTechnica's story: The reasoning behind the advice [of changing password often] is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days. "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it. The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill.
Annoying (Score:3)
The current discussion is a password change for our DMZ servers every 30 days. The mid zone servers are currently every 60 days. And corporate accounts are set to 90 days.
[John]
Re:Annoying (Score:5, Insightful)
You have one and only one password. Either the enemy knows it, and all doors are open, or he doesn't.
Whether the password changes or not - or how frequently - is immaterial. If the password is known, then you are already pwned.
Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen - except that in the case of passwords, you could be locking the barn with bandits already inside ready to break security all over again.
You efforts are much more profitably employed in protecting your passwords to begin with.
Re: (Score:2)
Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen
Not necessarily - I've always used password rotation as a method to expire inactive accounts also - because let's face it, some accounts will always slip through when they fall out of use (service accounts, vendor accounts, test/development accounts, etc...). Then, by requiring a physical presence to change a password (as in, it can't be done over a VPN or SSH or otherwise remotely), you're requiring an additional form of authentication to reactivate or re-age an account - your access tokens for the buildin
Re:Annoying (Score:5, Insightful)
Re: (Score:2)
Most organisations are using active directory for most user accounts, which stores passwords in an extremely weak way...
If someone malicious has a copy of the password hashes they can simply perform hash passing attacks with them as soon as they acquire the hashes, without requiring any cracking.
Also password cracking doesn't take a fixed amount of time except for the very weakest algorithms that can be completely brute forced. For most algorithms its a case of trying the most likely passwords first, and in
Re: (Score:2)
Good point. I was thinking about what good password changing does for the user. If the corporate password database has been hijacked, that's obviously different - assuming that the hijackers can't crack it fast enough.
Of course, if someone could get in far enough to hijack the password database, then you've got bigger security issues than just those pertaining to a single account anyway.
Re: (Score:2)
Except the 2010 study points out that given an old password and simple changes for the new password (as is common), it only takes a few seconds to discover a new iteration of a previous password.
Re: (Score:2)
You efforts are much more profitably employed in protecting your passwords to begin with.
Or avoiding passwords altogether and using secure element bound PKI [wikipedia.org] for access to critical systems. In addition to seriously raising the bar for unauthorized access, you can get generate nice audit logs of who is accessing what and when because there is no need for sharing admin passwords.
Re: (Score:2)
My company has this. Normally my passwords are massive, unweildly things.
asdf12!@ meets all of the requirements. And when they force me to change it in 30 days. 23@#, 34#$, ....
Re: (Score:2)
I had an algorithm for unique passwords for different sites that needed them that combined things about the company, myself, and various other criteria that meant I could always deduce what my password was if I didn't outright remember it. The passwords were relatively long and complicated, mixing upper/lower, numbers, and some punctuation, and were at least 10 characters long. Then we started in with the "must change your password every x days." So I revamped my algorithm to include something timely. I
Re: (Score:2)
One thing that has really come to be a lifesaver for me is a password manager (keep
Re: (Score:3)
Oh yeah. And don't write any of them down either.
it's just wacko nuts out there (Score:3)
lots of outfits have wildly inconsistent rules, change periods, and prohibition types on passwords. I ought to just be able to set time to expire as well as changing everything to "asspword", and be done with it.
Re: (Score:2)
If I were trying to hack into your DMZ I'd be trying passwords like "January2016" and "J4nu4ry2016". If you put a policy in place like that one of two things is going to happen: people will choose passwords with the same pattern, or they'll write the passwords down. You're lucky if it's the latter.
Wrong? (Score:4, Interesting)
"Frequent password changes lock them out. "
I was under the understanding the static passwords were an issue because they are far easier to brute force in a long term campaign, as well as a couple other reasons...
Re:Wrong? (Score:5, Insightful)
Right, and as this article covers, that's not true. In practice, passwords that don't have to be changed regularly are much stronger, because users are willing to chose a secure password and remember it long term, rather than when they have to change it regularly, they inevitably choose pass0001, and then when they have to change it, chose pass0002, and then pass0003 etc.
Re: (Score:2)
Another part of the rationale to change passwords has to do with the aging of a seriously hashed/encrypted password-- from the days when a SHA-1 took weeks to cook.
The rubric of the iterative, dictionary-attackable password presumes that one password leads to another, and that someone's going to program a rainbow table or dictionary attack to short-cut to such iterative devolution. Very few attacks that I've seen do this; buying a list of password cracks from say, Link-in break-ins aren't going to yield a s
Re: (Score:2)
The cryptographic strength of the password has precisely zero to do with how many sites it's used on.
Wrong.
The more sites a given password is used on, the sooner it will be leaked.
The more sites a given password is used on, the more likely it is that it will be stored using a weak hash function, without a salt, or even in plain text.
Both of these truths combine to fuck your password's "cryptographic strength" in the ass.
Over time crypto gets weaker as people attack it, and hardware gets stronger as people demand more games, Bitcoin, and porn.
"Cryptographic strength" is a function of the encryption scheme i
Re: (Score:2)
You're assuming that SomeStartupUsingExposedPasswordDB.com isn't one that stores the password in plaintext instead of a hash, or that uses an insecure protocol like http for login, so someone can listen and snoop the actual password. Many startups are that dumb, and users are dumb enough to use them.
Finally! (Score:5, Interesting)
Policies that require frequent password changes lead me to:
- pick easy to remember (and therefor easy to guess) passwords
- restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
- Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
- Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.
Frequently changing passwords exclude adherence to most other security good practices.
Re: (Score:2)
Re: (Score:2)
Policies that require frequent password changes lead me to:
- pick easy to remember (and therefor easy to guess) passwords
- restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
- Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
- Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.
Frequently changing passwords exclude adherence to most other security good practices.
This is all true but password changes do reveal password compromises.
Re:Finally! (Score:4, Insightful)
This is all true but password changes do reveal password compromises.
And having compromised tomat001 they can go straight onto guessing tomat002.
Really, why don't banks force everyone to change the PIN on their cards every month?
Re: (Score:2)
You mean those highly secure 4 digit codes?
The reason banks don't care about your security is because that's your problem. You can bet their internal requirements are much more strict, because internal secure is their problem.
Re: (Score:3)
The 4 digit code would be very weak against brute forcing if you had the hashed data in front of you but when you have to use their interface to attempt a code and you have only 3 chances, good luck. Additionally the fraud protection systems used by most decent banks will flag your purchase or limit your cash withdrawals. Additionally they are on camera when they do it.
Re: (Score:2)
This is all true but password changes do reveal password compromises.
And having compromised tomat001 they can go straight onto guessing tomat002.
Really, why don't banks force everyone to change the PIN on their cards every month?
Obviously, reasonable password policies don't allow you to do that.
Re: (Score:2)
That's why you outsmart them by going to tombt001, then tomct001. One, that gives you 26 iterations before you've got to think up a new scheme, and two, it's *sneaky*.
Re: (Score:2)
This is all true but password changes do reveal password compromises.
Yes exactly! Forced password rotations set ceiling on how long an account might remain unknowing "shared". Lets face it breaches often go undetected for a long time, and that is a problem. Forced password rotation is in fact a detective control and a valuable one! Probably to valuable to give up IMHO. Should it be a reasonably long horizon like 90 or 120 days - yes but it should not be never.
Re:Finally! (Score:4, Interesting)
- Write down passwords.
I'm not so sold on the evils of writing passwords down as it requires the Evil Actor to have physical access in order to exploit it. And as we all know, once you have physical access it is pretty well game over for security in general.
Re: (Score:2)
I'm not so sold on the evils of writing passwords down as it requires the Evil Actor to have physical access in order to exploit it.
That can be a problem in a corporate environment. I can't tell you how many times I've found a password written on a Post-It note that got taped to the monitor or underneath the keyboard. If the written password was inside a locked overhead cabinet or a wallet that someone carried, access to the network becomes a lot more difficult. Never mind that many Fortune 500 companies have policies against writing passwords down in the first place.
Re:Finally! (Score:5, Insightful)
That can be a problem in a corporate environment. I can't tell you how many times I've found a password written on a Post-It note that got taped to the monitor or underneath the keyboard. If the written password was inside a locked overhead cabinet or a wallet that someone carried, access to the network becomes a lot more difficult. Never mind that many Fortune 500 companies have policies against writing passwords down in the first place.
I wonder how people would behave if the official policy was to write it down and put it in your wallet.
Most people have to write down their passwords, there is just no way to remember lots of unique passwords. But if policy is "don't write it down", that's like making it policy "don't breathe", and then people will naturally say, gee this policy is idiotic, we'll just have to ignore it. Result is you're training people to ignore your advice.
If we want people to follow the advice, we have to give reasonable advice that's practical to follow. There's still too much of this, "it's the dumb user", attitude.
Re: (Score:2)
If we want people to follow the advice, we have to give reasonable advice that's practical to follow. There's still too much of this, "it's the dumb user", attitude.
Yes, and no. That users are dumb isn't an attitude, but a fact. It's what you do to compensate for users being dumb that's important. You can educate people to be less ignorant, but not to be less dumb. So you have to route around it, and presume that a substantial portion of your users are, in fact, not to be trusted with forks, buttoned shirts or remembering passwords.
Adding easy to use and fast 2-factor authentication and easy to access password resets can go a long way. Adding physical security so
Re: (Score:2)
Easy password resets are a bigger problem than never changing passwords. Nothing worse than getting my account compromised because someone ELSE changed the password.
Re: (Score:3)
"he should have remembered his password"
Why? I've got 140 username / passwords in one password vault, and I've got more in another one. Over 7 different PINs or passwords that are work related.
There is a limit to the number of PINs and passwords that you can remember, especially when the restrictions prevent you from coming up with a password that you might possibly be able to remember. And that's before you have password expiration policies kick in.
BTW who's the moron who let's the policy expire passwor
Re: (Score:2)
Re: (Score:2)
When I was working at an F500 on the internal security team we actually got an official policy that users *could* write down passwords iff they did so on a card kept in a wallet or purse which remains on their person outside the home.
Most people discover quickly they have lost their wallet or purse. So they are aware the password may be compromised and can notify IT Security to lock the account / reset the password promptly. Usually people have a pretty good idea when these items went missing as well, so
Re: (Score:2)
- Write down passwords.
I'm not so sold on the evils of writing passwords down as it requires the Evil Actor to have physical access in order to exploit it. And as we all know, once you have physical access it is pretty well game over for security in general.
Security isn't an all-or-nothing game. While the NSA or KGB could do a hundred things to compromise your privacy or security if they got physical access, an identify thief would probably judge it not worth his effort if he stole your laptop and it had full-disk encryption. In that case, having the password on a sticky note is really bad.
Re: (Score:2)
Password recovery or a call to the friendly folks at the service desk solve this problem. And the other problem that this entails, too: That the evil person could otherwise actually use your password.
Re: (Score:2)
Just like if you forget the password, which you are more likely to do if the password is complex or changed frequently.
Re: (Score:2)
At the last company I worked that required that I used "base01", "base02", etc. etc. for password with "base" a fixed part. Worked flawlessly, it defeated all checks on the reuse of passwords.
Look under the keyboard (Score:2)
Honey post-its? (Score:3)
Re: (Score:2)
Well - I don't write down the whole password. But I do put a sticky on the wall that says "version 5" :-)
Re: (Score:2)
Or,
Come up with one *really* good password/passphrase, and use it on your 1Password vault. Then give everything else passwords make up of long random strings and rotate them at whatever interval the BOFH or compliance pinhead demands. Though I'm sure there are *some* workplaces where this would be verboten, I've never worked in one. Of course, even that scheme can make my blood boil. my usual setting of 32 characters of 25% each of random capitals, lowercase, digits, and symbols often reveals things lik
Re: (Score:2)
Actually, that's half the problem.
The other problem is that users do not pick new random passwords, but just modify the old one.
E.g., let's say your password is "Password" 90 days later, you can bet it will be "Password1". Then "Password2" ... "Password9" and "Password0", finally probably cycling around to "Password1" again. (FYI - that password now gets you lower case, upper case and number).
That's the real problem - password security goes down faster than the benefits of frequent password accrue. After al
As with most things... (Score:3)
The best practice lies somewhere in the middle. Change them too frequently or infrequently and security may be decreased for different reasons.
(This also depends on your definition of "frequently")
I *believe* that a password change policy is necessary. However, I don't think you need to change your password every couple of months. I think once a year is good as long as you are not using that password elsewhere and that it is 12 or more characters (don't worry about the numbers, symbols, etc. Just the length is important... again, with caveats pertaining to how the password is entered, stored, transmitted, etc)
password length (Score:2, Insightful)
... not using that password elsewhere and that it is 12 or more characters
Indeed. It is not the number of possible characters, C, from which the password is created, but the number of characters, N, that the password uses: The number of possible combinations is C^N which is polynomial in C, but exponential in N. (Thus, increases much faster with N than with C.) Adding a few "special" characters doesn't do nearly as much as adding length. That doesn't even really prevent dictionary attacks as most of the time the user only adds a 0, 1 or ! suffix to a simple word-password.
Per
So what you're saying is.... (Score:2)
Length, not size matters. Got it.
Re: (Score:2)
"as long as you are not using that password elsewhere "
Password reuse like this should be absolutely forbidden. It's ridiculously insecure.
Password change policies depend on the service being protected. Very few benefit from changing. E.g., shared passwords such as safe combinations, door passcodes. Encryption keys such as those used for offline backup sets (nobody who worked there 10 years ago should know the current passwords).
When you don't trust the service provider, data breaches, such a
when you have to change password frequently (Score:4, Insightful)
new password: Spring02
mora than 2 password to change now and then, advice from seniors, put them on a txt-file on the desktop
Re: (Score:2)
Works until you cannot reuse even parts of the previous passwords.
So then it's probably going to be
Spring01 ...
Summer12
Autumn23
Re: (Score:2)
What will you do on the 5th password? :)
Re: (Score:2)
Spring01. Because usually it only has to be different than the past 3.
Re: (Score:2)
I'm not a security expert (INASE?), but doesn't the fact that they can identify reuse of parts of a password mean that they aren't using a good one-way function to hash the password+salt?
No, because the process is almost always: Enter existing PW. Enter new PW. At that point, "existing PW" can be trapped as text for the few seconds it takes to get the new one and to compare the strings.
2016 best practice? (Score:4, Interesting)
Re: (Score:2)
Which is great, until you run into a shitty interface that won't let you paste a password.
Windows 7 RDC comes to mind as a huge problem in that regard...
Use a password manager! (Score:2)
If you use a good password manager (or some similar tool like a hasher), then how often you have to change your passwords is entirely irrelevant, because generating a new one
Legal requirements for businesses (Score:3)
Some of these questionable policies are driven by business regulations and auditors. If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.
Good luck trying to get the auditor to explain why you need to change your passwords every 90 days, in my experience they can't defend their requirements and simply say things like it's "best practice".
Re: (Score:3)
Some of these questionable policies are driven by business regulations and auditors. If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.
Good luck trying to get the auditor to explain why you need to change your passwords every 90 days, in my experience they can't defend their requirements and simply say things like it's "best practice".
It is only to limit how long a compromised password can be used without being noticed.
Re: (Score:2)
Re: (Score:2)
If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.
You hit the nail on the head. PCI and SOX audits aren't going to get you good security. Just because you read XYZ in a security book is a good practice doesn't mean you're going to get good security either. These things might get you slightly better security. What's really going to get you good security is to hire a firm to do a real penetration test. That's the only way you find out and then from those results you can actually identify the measures that need to really be taken to truly increase your
Re: (Score:2)
All sarbox cares about is that you have a process, even if its to do nothing. I'm not sure if PCI is strictly required to have a password rotation policy, but there shouldn't need to be too many people in an organization required to take steps to be covered (depending on the company). Only a very limited subset of a given company should have direct access to user data in the first place. If they're put on a special policy list due to regulation, then so be it.
Re: (Score:2)
This is absolutely true, but these business regulations should be driven by competent security. That's why things like this are good. Security is still an industry in its diaper-wetting infancy. Somebody took a practice most of us have accepted as good and actually subjected it to scrutiny, actually tested it, and found it to be wrong.
Study from 2010 is likely worthless... (Score:3)
...for one main reason. Can anyone tell me how the insider threat risk has changed in the last 6 years?
Take a look at the last few major hacks within corporations and social media networks. These haven't been minor breaches where a little bit of data was taken. No, we're hearing about millions of accounts leaked, and terabytes of data stolen, with Sony being a prime example of an inside job.
The entire point here is frequent password changes DOES have a purpose; to mitigate the risk and damage of internal attacks, as outlined in TFS. If the insider threat risk has changed significantly in the last half decade, then the advice to change passwords often IS the more valid one.
And as the Ashley Madison analysis revealed, it really doesn't fucking matter how often we tell users to change their passwords when they continue to pick horrible ones that require little more than a guess to "crack". Sadly, this trend has not changed in the last few decades of humans typing in passwords into computers. This is probably the strongest argument to remove the concept of human-generated passwords altogether, and go with some form of biometric-enhanced authentication.
Re: (Score:3)
Re: (Score:2)
If it's going to be rendered as a hash anyway, what's the difference between that and a bad password?
A decent amount of salt. That's the difference. I can't help it that the world's most popular operating system continues to be plagued with backwards compatibility issues that all but destroy the notion of implementing a 30-year old security enhancement that would tend to render password cracking tools useless.
Why invest in expensive hardware that will be circumvented anyway? Six months after any technology is mandated, someone finds a workaround and the hardware is useless, whether via writing around the edge with a Sharpie or using a 3d printed eyeball.
And yet we've been successfully and securely using two-factor authentication with hardware tokens for quite a long time now (as in decades). Certain security models manage to last a hell of a lot l
Re: (Score:2)
summer16! | md5
0a336b32a5ffad8dd06f7b245b63513e
What the GP is suggesting is that you hash your password than submit the hash as if it was your password where it will be hashed again by the system/site/etc.
Most password cracking efforts are not actually brute force, they use large word lists, and than apply whatever hash method and apply salts the leaked system used. Often these word lists are many gigabytes but still way smaller than the entire key space. So while summer16! is certain to be on someones wo
Re: (Score:2)
Thank You! (Score:2)
In a perfect world where everyone has a photographic memory, we would change all of our passwords ever 30 days and be better for it. In the real world, people are often tasked with remembering the passwords for dozens of accounts with different password policies, different change policies, and differing security needs. This causes frequent forgotten passwords (leading to overuse of password recovery tools, easy to guess passwords, and password reuse.
In theory, you could simply use good mnemonic devices fo
It improved security for me (Score:2)
Re: (Score:2)
On a 3 month cycle? I'm up to "Password67" now.
Er.. I mean "**********"
Well.. (Score:3)
Re: (Score:2)
Special character requirement (Score:5, Insightful)
I have several passwords that require a "special" character. I've found it frustrating on the occasions when I need to enter these on my phone, having to switch to the symbols to enter my password. Now if a password requires a special character, I use one that is part of the default keyboard, which limits it to using a period.
Special character requirements might be fine when using a physical keyboard, but mobile devices change how people will use them.
Re: (Score:2)
My favorite special character story comes from a friend who works in a call center. She had to help someone not computer literate at all set up an account on something and that service required a special character. She asked the caller what special character they wanted to use. Their response? "Minnie Mouse!"
Passwords are not secure, period. (Score:2)
I've been reading these articles about password security for 15 years on slashdot primarily. The TL;DR on passwords is that they are just not a panacea for security. Europe realized this quite awhile ago AFAIK, smart card readers are still being used as a means to do muti-factor authentication for people on networks and the internet, etc. It's a lot more convenient than remembering a password that is a gagillion number of characters long with a password policy that makes it impossible to create a passwo
Can't password expiration be based on complexity? (Score:5, Interesting)
Every company I've worked for forced us to change passwords regardless of complexity. So I, and probably everyone else, used a simple phrase with a number to increment. I would have liked it if I picked a long, complex, hard to crack password that I'd be rewarded with a longer period before requiring to change my password. Would this make sense in practice?
Let the computer handle it (Score:2)
Re: (Score:2)
That's fine if you are accessing the sites only from a single computer. Otherwise that database has to be uploaded somewhere else you'll need to reset your password when you try logging in from another machine.
Windows does have a built-in credentials manager that pretty much no one uses. OSX has a keychains password vault.
It also opens up all sorts of phishing attacks (Score:2)
Your password is expiring in 10 days. Click here [youtube.com] to change your password now.
Compromise? (Score:2)
Slashdot password never expires (Score:2)
Just tested logging out and back in, I'm still using the same password for my Slashdot account I've had for far too long (the password that is.) In fact, it is my 2nd oldest password still in use, my oldest password of course being a scorned 5 letter password not accepted in modern Internet society. :(
Everything old is new (Score:2)
Years ago I worked at a defense shop that got the idea people were using passwords that were too easy to guess. So they assigned your password every 30 days. You get assigned something like "3z~L8;GS=4", which would be changed before you could remember it without some kind of mnemonic trick ("Three Zebras Tried Laughing..."). After a few months you'd start mixing up the current password with passwords from last month or the month before.
Anyway, they finally did an audit and found something like 70% of
Re: (Score:2)
I've always felt that was a "best practices" bullet point mindlessly copied from the previous conferences' slide deck, that nobody every asks the rationale for.
And yet oddly enough, few question the Microsoft default setting of 42 days, and instead go with 60 or 90 days. You know, for a corporation we love to hate because of their shitty security practices, they sure seem to be far more strict when it comes to password change policies.
Meanwhile hours or sometimes days of productivity are lost as people get locked out from mail and other corporate servers they need to get their work done.
If you're suggesting that changing passwords is such a burden that we shouldn't even bother, let me remind you that users are going to be "locked out" for FAR longer than a few hours or days when the entire company is hacked due to
Re: (Score:3)
And yet oddly enough, few question the Microsoft default setting of 42 days
Maybe that was to give you a week to remember to reboot the machine before being locked out, as Win95 and early Win98 would only manage an uptime of 49.7 days before becoming unresponsive
https://sites.google.com/site/... [google.com]
(The mouse pointer would move, but no click, double-click or right click actions would work)
Re: (Score:2)
Changing passwords regularly ensures that users will pick poor passwords, because they won't be able to memorise a completely new strong password every 30 days...
Re: (Score:2)
FWIW, MSWind95 would crash after being up for 42 days. I think there was a millisecond counter overflow.
Re:The mandate to change passwords every three mon (Score:5, Insightful)
It's the bullet point that is easy to implement that pushes your ITSM score upwards. Changing it every 60 days is B+, changing it every 30 days is A+, hey, if they got another + for it they'd have you change it ever 30 minutes. It's a cheap way to "improve" your security score because it requires no work whatsoever from your security management. Servers come with that option built in.
And while we're at it, same shit with "2 numbers and 3 special characters and at least 30 characters long...". Same bullshit. The longer and more complex the passphrase, the more "+" in your security rating. Why? Doesn't matter. It gives you a better security score. You are winner.
Management by numbers at its finest.
Re: (Score:2)
In the meantime no one can remember all these passwords and writes them down, making it super easy for anyone to know the persons password. I have worked at a college with a 90 day password change policy (and long complex passwords) and 75% of people had a sticky note somewhere around their desk with their current password on it because almost no one could remember them all. At the time I worked support and when going onsite I could easily have collected almost everyones passwords if I wanted. Most of IT di
Re: (Score:3)
Yup. Such policies lead to very silly behaviour patterns. The oddest one by some margin was a coworker whose first way every morning was to the IT-Department to pick up his password of the day (i.e. "i forgot my password and need a new one"), take it with him, use it, deposit the print in the shredder on his way to lunch, come back to retrieve a new password, use it, dump it in the shredder on his way home.
Without fail for years. IT had his password ready in the morning at 8 and after lunch at 12:30 (he was
Re: (Score:3)
Passwords in wallets:
Carry a business card (not your own) and steg the password on its back using some variant of the following:
"Ben O. Aronsen: 237 Smith Place #12 Roxbury Vt 05669 ---Sally has phone number". This stegs the password "237SP#12RVt05669" for a Bank Of America account.
Like the Purloined Letter, the password hides in plain sight. Ain't stegging wunnerful? [wikipedia.org]
Re: (Score:3)
A password written down on a sticky note can't be cracked remotely. You have to be physically present in the room to have a shot. http://www.imdb.com/title/tt0086567/?ref_=nv_sr_1 [imdb.com]
If the password is sufficiently complex, and the system uses properly salted hashes, then it is infeasible to crack remotely via brute-forcing the password database. Simple passwords are susceptible to brute force cracking.
A better solution is to use both. Write down the complicated password, but append or prepend a memorized PIN.
Re: (Score:2)
Something you know and something you have. El-cheapo two factor authentication realized. :)
Re: (Score:2)
Re: (Score:2)
My 2FA code (which I have to use to login to pretty much everything) changes every 20 seconds. I guess that's A++++++ then, right?
Re: (Score:2)
Changing it every 60 days is B+, changing it every 30 days is A+, hey, if they got another + for it they'd have you change it ever 30 minutes.
Or every use, otherwise known as one-time-pad:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
Yup, this is exactly what this setting is for.
AC thinks he's so smart, but really his employer is so dumb.
Re: (Score:3)
I encourage users to make up passwords based on some useless obsolete memory occupying a permanent place in their brains. I tell them to start with the name of their childhood dog, that's easy, but then add onto that the entire phone number for their best friend growing up.... the one you'd dial 12 times a day? that's 10 digits you can always recall, occupying some space in your head that you otherwise don't have any use for. Tag that onto your dog's name and you have a memorized 18-digit password. Your
Re: (Score:2)
The problem is that people who don't know much about a field like security can't identify those people. They don't know who to listen to.