The password you supplied does not meet the minimum criteria necessary to use in our system. Please select a password that meets the following requirements:
[ul]
[li]Is at least 8 characters long[/li][li]has not been changed in the past 3 days[/li][li]has not been used in the previous three password changes[/li][li] does not contain any account information[/li][li]does not contain your name[/li][li]uses at least three of the following four[/li][list]
[li]English uppercase letters[/li][li]English lowecase letters[/li][li]numerals 1 through 9[/li][li]non alphabetic characters[/li][/ul]
[/list]
At least I don’t have to change it every two weeks or have 6 different log-ins, but damn. I work for the government. Half of what I do is freely available to the public anyway and the other half can be gotten through a Sunshine request. I think our system’s in overkill territory here.
We have almost the same list, excepting, I think, that we have to have letters, numbers, and a non-alphanumeric (doesn’t care about case). And I do have to change it every month. And I work for a textbook publisher.
What’s funny is requiring a password you can’t remember compromises security more than anything it could do to help; now everyone’s tempted to write out a list of all their passwords on scrap paper or something else they could misplace easily.
What amuses me about most password requirement lists is that they rarely come from the security guys. Most of them seem to come from people who think about “what makes sense” as opposed to people who think about “what people do”.
Personally I favor most of your requirements, but would increase the minimum change time to 60 days, last passwords to 37 (0-9,a-z), and make you change them every 120 days, with 30 days notice/nagging. I’m a huge fan of single sign-on solutions as well, so the same name/password combo works everywhere. It reduces the number of people who keep passwords in/under their desk, and if they have to authenticate multiple times per day, they’re more likely to remember their password as well.
My favorite instance of stupidity comes from a (non-federal) government agency that required auto-locking of all accounts that hadn’t logged in or changed thier password in 90 days. Including the system account and application account. They also required a system boot every 120 days. Oh well, at least there wasn’t a 24/7 requirement on it, and the boot disk was local to them instead of me.
You can get around this by keeping the same hash (the number, symbol and capital letter requirement) and just change a dictionary word for the rest of it.
Really diabolical password policies will reject you if you your password contains a dictionary word.
Requiring frequent password changes, or different accounts for different systems, and passwords that are difficult to remember are counterproductive, because then the users become the enemy of the system administrators. They’ll write down their passwords and put the post-it note on their monitor. Or they won’t logout of their machines when they aren’t at their desk.
Good for her. In this day and age the main threat is not that someone with access to your office will get on your system. But that someone in a remote location will gain access. The system is much more secure with hard passwords written down that with easy memorized passwords. It would be even better with hard memorized ones but not that much better.
It’s fucking 50 for us at the FAA. No, and I mean no one wants to
read my email, even I don’t.
Take our stupid security, OSHA, or other crap tests.
Do my fucking time card.
I mean really, why do we have to change our passwords so much, and to such hard to remember crap. I can think of: login, email, test taker, time card, airport directories, work database, and probably a few others. All of which have different password requirements, none can be the same as the last 50 or so, and none can match another one! I have to have a password file so I can remember them all. Which of course is also password protected. :rolleyes:
Please if someone wants to do my work I say let them.
I just end up using a nickname of mine plus a number, which works out ok, except I keep forgetting that it’s case sensitive. I’ve made it through 1, 2, 3, and 4 and can finally move back to 1 again. My e-mail system, arguably the most sensitive portion of my computer (though, heck, even that can be brought to out to share with the world through a nicely worded FOIA request) has a password that never needs to be changed.
And this is totally retarded. It’s one thing to expect someone to have a strong password and change it every few months. It’s impossible if they have to have several different strong passwords and change them every few months. Why can’t they give every employee one set of credentials that can be given permissions to use different systems?
If I’m remembering the password rules for when I worked for Social Security correctly they had to be changed every 30 days, were six characters long, and could not have any character in the same position as any of your previous three passwords. I think there was also a restriction on use of either dictionary words or certain acronyms (like ssa), possibly both. For a while I had a post-it stuck in my desk with ten random characters on it which I would cycle through.
Fuck all if I know, I just know I only use two normally, one every two weeks, and a couple of others every few months. The worst though is that our email has us change, it has to be changed like 60 days later, but a month before it starts saying, “Your password is going to expire in 30 days, do you want to change it?” and I have to hit no twice. Well that and the test taking password which the last time I tried something like Fu*$s3A5 and it told me it wasn’t good enough.
We have similar password requirements (I work in the research arm of a hospital):
Must include:
Must be 8-10 characters in length
Must contain at least 1 lowercase letter (a - z)
Must contain at least 1 uppercase letter (A - Z)
Must contain a number (but not start with a number)
Cannot include:
Cannot use 5 or more of the same sequential character
Simple strings cannot be used (abcdefgh)
Cannot include your username
Cannot include your first or last name
Cannot include {list of obvious words, e.g. hospital name}
Cannot include the word “password”
Other requirements:
Are case sensitive
Must be changed every 90 days
Cannot be reused until after 10 password resets
I just picked an obscure word in a foreign language* and appended a number, which increments until I get to 10 and then starts over from 1; e.g., Gibberish1, Gibberish2, Gibberish3, etc. That way I only have to remember which number I’m on.
At my last job, for many systems that I didn’t use terribly often (like HR, benefits, etc) it was a lot easier to just go through the password reset process every time. In one particular case, I actually had to call someone to get it reset, and it was still easier than worrying about it.