Changing security codes every day?

I’m watching Oceans 11 (the remake), and in it they mention that the casino door codes are changed every 12 hours. This isn’t the first time I’ve seen a statement like this in a movie or book, but I"m wondering. Do agencies really change security codes that often? It seems to me that doing so is going to cause nothing but problems. With codes switching so often, you’re not going to remember them, which leads to codes being forgotten (Hello, security? Yeah, it’s Fred. Again.) or written down, which kinda defeats the purpose of frequently changing codes.

Anyone know of this practice actually occurring?

I’ve never worked in a casino so I can’t speak authoritatively, but I have worked in or been in other high security facilities, and the frequency for changing access codes, PINs, and passwords has varied from 30 days to six months. As you note, changing codes on a frequent basis requires some way to distribute and remember the code, which means that people will either tend to forget (and therefore put a large burden on whoever maintains the system to manually authenticate users and reset passwords) or write it down someplace reasonably accessible, thereby foregoing any security benefit whatsoever. Ditto for requiring extraordinary complexity in codes; requiring the combination of numbers, letters, and symbols assures that dictionary hacks won’t work, but honestly it takes very little to modify a standard dictionary hack to insert symbols and numbers for letters in the common fashion (e.g. “@” for “a”, “!” for i, et cetera) so unless the password is truly a random sequence not based on any dictionary word it isn’t significantly harder to crack. The use of long passphrases, on the other hand, increases the computational complexity even if the passphrase is composed entirely of dictionary words, and you just have to make sure that someone doesn’t use an immediately recognizable phrase, e.g. “Now is the winder of our discontent, made glorious summer by the son of York.”

Now, back when I worked for a security company, I knew of (but did not work with) an R&D company that cycled the lock cylinders in their “vault” (secure offices) once or twice a week in a standard rotation, and collected and replaced keys at the same time. This was to assure that any lost keys were accounted for or obviated, to minimize exposure to a security breach (e.g. an employee copying a key and giving it to a would-be thief), and to inspect the lock tumblers to insure that there were no signs of tampering. The locks themselves were, for the day, top security with mushroom tumblers and anti-bump provisions, and were installed in rooms with steel doors and were lined with rad-secure mesh to ensure that no electronic transmission could leave the room.

The casino industry does probably go to exceptional lengths to protect their cash reserves and intake, but I suspect this involves thorough vetting of employees, defense in depth (multiple layers of security with “eyes on eyes” surveillance), automated counts and recounts to detect any “leakage”, and vigorous prosecution of anyone remotely involved in nefarious activities. Elaborate kind of security systems portrayed in Ocean’s Eleven (or Mission Impossible) are the creation of screenwriters, and the least reliable element of any security chain remains, as it always has, the actual people within the system who can defeat it by simply pocketing the money or data and walking right past all of the automated security measures.


There are “dongles” that can generate a code that changes as often as you want.

Of course, if you lose it, than your security is screwed…

Obligatory XKCD cartoon.

The problem with a lot of security is the key revocation problem. The ability to revoke one particular person’s access at will. Physical keys are a good approach if you can get them back. Per person access codes another. Indeed a much more useful mechanism all round, as you can track individual accesses. Hence the value in keycards.

These days, banks and computer games use a slightly modified system. They will send you a special device or make you download an app on your smartphone. Using mathemagics, the device will show you a new password every time you use it or every minute. You have to enter this special code, alongside your regular password, to log in. On the receiving end, the server also uses the same algorithm and knows that “As of 3/09/2014 5:34, the correct number should be X”, where X is what’s displayed on your key fob/smartphone.

This can be used in conjunction with a regular password that doesn’t change as often, and maybe also with biometrics (fingerprints/iris scans, etc.) – together requiring something you know (the password), something you have (the latest minutely passcode), and something you are (your body). See Multi-factor authentication. Tends to work better than requiring only a password that changes every day.

Even then, whoever found/stole the token would also need to know your PIN or password to gain access. And use it before the loss/theft of the token is reported.

We use a bejillion securID tokens and I used to administer the gizmos. They’re not dongles - they’re completely stand-alone things with no user controls that display a new tokencode every 60 seconds. This does make them a bit inconvenient for our Unix admins who need to re-authenticate every time they log in as root or execute a command as root, as a tokencode can only be used once.

Losing or damaging one is inconvenient, but not horrible. They’re not laundry-proof, and they will be cooked if you leave it in your car on a hot Arizona summer day. Just call the helldesk and they can give you a temporary fixed tokencode to use with your PIN. If someone finds your token, they need to know which system it’s for (I used to have three outwardly identical tokens for different uses) as well as your username and your PIN. If the system is set up well, with a minimum PIN length of six alphanumeric characters and lockout after three failed attempts, it’s difficult to circumvent.

You win the “Best Tech Support Nickname” contest.

I’m telling you… Siri knows more than we give her credit for!

I used to hate them. They were forever losing sync.

The system we’ve got has built in coping for loss of sync - if you enter a code that is too far outside of the current minute, it makes you wait a minute and enter the next code and the one after it - that way, it verifies that you still have the device (not just a piece of paper with a half-hour-old code on it) and adjusts an ofset so as to put everything back in sync.

I think some systems even derive a drift vector if this keeps happening - i.e. the back end works out that your token is drifting 5 seconds fast per week, and makes that part of the sync parameters.

Rather than using SecurID, my company just uses a smartphone app that does the same thing. The same app generates 60-second codes that get me into gmail, github, and other services that we use.

I found this about 25 years ago, I’m pretty sure, on a stolen corporate laptop I bought for $50 from a guy who walked into a store I was in, five minutes immediately after which I felt incredibly fucking guilty and like a shit heel, and I tried like crazy to figure out who and how I could get the thing back to. I think it was IBM.

Yes, I could have dropped it off anonymously. But I didn’t. I threw it out.

::Wow, that feels better.::

It’s probably been updated now, but I used to visit a high security government establishment. Each morning there was a queue of staff at a set of desks establishing their identities to a human being. This involved a face scan and a fingerprint reader as well as satifying the guard. Once accepted, you were given a plastic card with a chip on it and your photo - this hung on a lanyard round your neck. Everyone got a new one every day just like visitors like me. As a visitor, I had to be vouched for.

The card only allowed access to the places where you were working and the inner public areas. Any attempt to open an unauthorised door set the alarms off and, as I discovered, gave the miscreant a good deal of ball ache.

No one went home with a working card as they were deactivated at the end of the day, and it would have been very hard for an intruder to fool the guards into giving him a card.

No big deal, they just issue a new one for the person who’s secureID was lost/stolen. It happens all the time, and they’re useless unless associated with an account.

I did work in the casino industry as IT. I actually built a casino.

The count room was sealed with hard ceilings and walls vs the rest of the casino which had drop ceilings and standard dry wall. The count room was behind the cage so you had to a) get into the man trap for the cage and b) get past the door into the count room.

The security for the count room was pretty strict, for example, if I went in and there was any money in the room I had a guard as an escort. There were also cameras everywhere. However, the surveillance folks didn’t do ‘eyes on eyes’. They didn’t need to as everything was recorded and stored for ~30 days minimum. The cash went through counting machines that I had to fix from time to time. If it was a mechanical issue, a vendor came out. If it was IT, I worked on it. The counting machine did all the heavy counting unless there was a discrepancy, or at least that was my understanding.

The Oceans Eleven image of the surveillance rooms isn’t anything like the real world. There were ~30 or 40 monitors on the walls with live feeds from the cameras on the floor. There were ~ 8 desks with dual PCs. One PC on the surveillance network, which was isolated from the rest of the network, and one regular PC. The room was rather boring. There would be anywhere from two to five folks working surveillance at any time.

The big thing with surveillance was the camera systems. All cameras were fed into recorders that then moved the data to a SAN (note, they were working on moving to all IP cameras when I left). The SAN was huge, think terabytes, and could hold a lot of video. The video was held for 30 days and then, if there were no incidents, written over. The video of incidents was stored on the SAN, just moved to a different directory.

I sat in on a Cisco demo for surveillance, I got sucked into those because a) I would do the IT half and b) the surveillance tech was an awesome guy and helped the IT department out a lot. So therefore he got pretty much anything he wanted. Anyway, the new Cisco system would allow you to go to a camera, highlight someone and then the cameras would track the person through the casino by it self. Pretty slick.

On the IT side, there were no special password requirements for the cage or count room. We were on a 60 day cycle. Since there wasn’t really anything you could do on the computers to steal cash (other than try stuff like voiding sales, etc) the important stuff was the physical security of the cash.

Anyway, the count room would usually have a few hundred thousand on hand during the week with the amount increasing on weekends. The main security was the man trap, cameras and the security officers.

The security was simpler than you would think but also works better than you would think.

When I worked network operations at AOL, SecurID was the big deal for authentication. Considering I had root to the whole AOL network…


When I worked for the telephone company here the mechanical keycode locks to various areas were only changed infrequently. Often if you looked on the nearby wall or architrave somebody had written the code on it. More recently they changed many areas to passcard entry, and you frequently had to beg temporary access to an area and even then your ID card would only let you in for a day. I was designing the damn’ transmission equipment in the switch upstairs and they still wouldn’t let me in. One of the reasons I left that outfit.