Why is being honest such a pain?

[Worldwalker]

A basic dictionary attack will be detected within a few tries; it's not like the old days. If they're stealing the password file and attacking that, the solution is better system security, not weaker user security, and if they've got enough of a massively parallel system (or perhaps a botnet) to try every option against the hashes, requiring unmemorable characters in users' passwords will not make it measurably slower. A disturbingly common point of attack is stolen (or just lost) laptops with passwords on them. The world's most secure password doesn't do jack for a trojaned, stolen, or otherwise suborned computer. Making the users write their passwords down, or store them in their laptops, as Duncan says, is making the problem worse instead of better.

I did once have a nice consulting gig resetting an office manager's password every 90 days. He always ignored the "grace period" messages, then called in great distress when his old password didn't work anymore, giving me a nice drive and some free money for 5 minutes' work. Unfortunately, it wasn't long before they bought a system that didn't suck. I miss that one.

[MikeFromHC]

Quote:

Originally Posted by DuncanWatson

That problem relates to IT departments mandating 90 day changes of passwords with no repeats for the last 10 passwords and a mandate of 90% change for the new password as compared to the last 10 used. As well as mixed numbers, letters and punctuation.

Shockingly such draconian user-unfriendly policies result in rampant security violations as users put passwords on sticky notes, in their wallets, on their pda/phones etc. Sure some people (this is especially bad in accounting and financial departments) will put passwords on sticky notes attached to their monitor no matter what you do. But by making it so unfriendly many more users are forced to take such action just to be able to do their job. Not everyone can create passwords that fit IT criteria of a good password and commit them to memory every 3 months. Especially without reuse. If you really need such security use an skey token with generated passwords every 30 seconds or so. (something you have + something you know security).

The IT department is responding to *known* threats and such measures are the only ways known to protect access to the information.

Note I said "responding" as these measures are put in place after somebody finds out the hard way about the problem.

[Worldwalker]

The problem is that by responding to one problem (systems vulnerable to dictionary attacks) they're creating another problem (user passwords that can't be remembered) -- and the new problem may, in fact, be worse than the old problem.

[Harmon]

"Always tell the truth. This will please some people & astonish the rest." - Mark Twain.

[thrawn_aj]

Quote:

Originally Posted by Figwit

You could always try www.bugmenot.com

I've used bugmenot to good avail in the past. I would be careful with it though - it's like anything you find lying in the street and decide to take home. Who knows what people have done with some of those usernames in the past?

[MikeFromHC]

Quote:

Originally Posted by Worldwalker

The problem is that by responding to one problem (systems vulnerable to dictionary attacks) they're creating another problem (user passwords that can't be remembered) -- and the new problem may, in fact, be worse than the old problem.

It may be more work for IT but if you had to decide between having your valuable information taken because somebody thought "Password" was a good password (and there was a time when it was, sans network, sans Internet) and having to reset for people not smart enough to find a good easy to remember password, which would you pick?

Essentially the same method can be used to remember a password or stars

ObAfGkMrNs

[Worldwalker]

I don't think either one is a viable solution (and I say this as someone who once had a very nice consulting gig regularly resetting an office manager's password). One gives you hard-to-find weak passwords, the other gives you easy-to-find strong passwords (the stickynotes). While getting users to choose at least moderately strong passwords is important, so is hardening the system as a whole. So, too, is setting appropriate user privileges and access. That's definitely more work for IT, but it has the advantage of working, and not just forcing users to write their passwords in places you don't want to think about. Remember, we're talking about Jersey Shore fans here: they're not gonna memorize passwords or stars.

[Merbear]

the most annoying on-line store I found was Plimus in Britain. When I was in Thailand last month my daughter wanted the Ngaio Marsh books they advertised. I bought them for download on-line and paid immediately with PayPal but they just about wanted my life history including phone number and then I had to wait several days for a download link! For goodness sakes - it cost $9.99.

[Seanette]

Quote:

Originally Posted by DuncanWatson

That problem relates to IT departments mandating 90 day changes of passwords with no repeats for the last 10 passwords and a mandate of 90% change for the new password as compared to the last 10 used. As well as mixed numbers, letters and punctuation.

And differing cycles/requirements for each of several logins needed to perform one's work.

I've been known to resort to the "list on my PDA that doesn't leave my physical possession while at work" strategy myself.

[MikeFromHC]

Quote:

Originally Posted by Worldwalker

I don't think either one is a viable solution <snip>
Remember, we're talking about Jersey Shore fans here: they're not gonna memorize passwords or stars.

Which is why all they have to do is remember a simple personal question and apply a simple set of rules they make up.

If they can't do that then perhaps people who can should be hired.

[Worldwalker]

Quote:

Originally Posted by MikeFromHC

If they can't do that then perhaps people who can should be hired.

In my experience, the worst offenders are those who do the hiring. When I went to a client's site every 90 days to fix a guy's password, it wasn't some peon's password that needed changed; it was the head of the regional office.

[meromana]

Quote:

Originally Posted by MikeFromHC

Which is why all they have to do is remember a simple personal question and apply a simple set of rules they make up.

If they can't do that then perhaps people who can should be hired.

I don't know...in my experience, those who excel at memorizing tedious lists of oddball characters aren't necessarily those who excel at critical, analytical thinking. Like me, for example. In my last job, there were at least 10 different systems requiring 10 different passwords (each system had different password rules), and they had to be changed every 90 days, NOT on the same schedule. Worse yet, if you typed the wrong password 3 times, you were locked out, usually for several hours, and required a manual unlock by some guy in IT.

Of course, unless I was on a tight deadline, I didn't mind that much--I got paid by the hour, even when locked out and unable to do my job. I would guess that password problems cost this company far more than what they saved from any potential security threat that their policies may have prevented.

--Maria

[MikeFromHC]

Quote:

Originally Posted by meromana

I don't know...in my experience, those who excel at memorizing tedious lists of oddball characters aren't necessarily those who excel at critical, analytical thinking.

--Maria

There is no need to. If you can pick the password simple sentences with simple rules gives passwords that can only be broken with brute force.

Maria, can you remember a simple sentence?
McYra$$?

[Worldwalker]

But this week, is it "Maria, can you remember a simple sentence?" or "Maria, what is that sentence today?" ... and what will it be next week? Joe Schmoe in accounting is just gonna write the thing on a stickynote, and thereby hangs the problem.

[MikeFromHC]

Quote:

Originally Posted by Worldwalker

But this week, is it "Maria, can you remember a simple sentence?" or "Maria, what is that sentence today?" ... and what will it be next week? Joe Schmoe in accounting is just gonna write the thing on a stickynote, and thereby hangs the problem.

If Joe can't remember a sentence he made up then perhaps he needs a job someplace else.