Damn password expiration policies

The BBQ Pit
1

These things drive me nuts, especially with a short expiration time, crazy character /word requirements and the fact that I can’t reuse any of the last 10 passwords.

I have to access an outside company server for my job, and the above is the password policy. I’m going to be working on this project for a year and a half, and will, by this policy, require six different passwords throughout the project. Nevermind that another system I must use has similar requirements, but with different password strength requirements, so I can’t really reuse passwords between groups. Then there’s the fact that on the first system, I have to CALL someone to reset the password. Yes, that’s increasing security. :rolleyes:

Don’t people realize that when you require very strong passwords (which I’m fine with…I have a few very strong passwords I tend to use, which are very difficult to crack, but also easy for me to remember), but require constant changing of them, it makes it nearly impossible to remember the password for these systems…so what do I have to do? Write it on a post-it and leave it in my desk…thereby completely destroying any security the system purported to have.

Make me have a strong password, then let me keep the damn thing! If you must reset occasionally, make it yearly or something, not every couple months. I’ve now got two post-its for these two servers because I have to keep changing the password. Arggghhhhh…

2

I’ve always assumed that policies like this were based on the well known Hollywood fact that computers are far more vulnerable to teenage hackers working out of Mom’s basement than to people who have physical access to them.

3

Wait. You only have to do this for** TWO **passwords?

Wimp.

4

10 is not infinite. Write down 10 dummy passwords. Change through them all, then change back to the one you really want. This is what I do at work every 6 months, though they only remember the last 3.

What I actually do is even easirer. Say my pass word is PASSWORD. When the 6 months is up, I change my password as follows:

PASSWORD -> PASSWORD1 -> PASSWORD2 -> PASSWORD3 -> PASSWORD

No big deal.

ETA: I just noticed that you have to call someone to do this. I guess my hack only works because mine is online. Still I’m leaving this post up for the benefit of others.

5

And your hack only works where they’ll let you change your password that quickly - many systems won’t (because of people doing what you describe).

6

If I ever want to steal some computer stuff, the first place I’ll look for passwords is the top desk drawers (that’s where I always kept mine). Thinking about it, I guess you could keep the Post-It note with all your passwords on it in your wallet or something, so it goes with you.

It is funny that as password requirements get tougher and tougher, more and more people have to write them down to remember all of them. Welcome to the world of how people actually act, computer professionals. Not all of us can memorize pi to a thousand places.

7

Use a pass phrase.

One of my former passwords was:

Surely you can’t be serious? 1 am serious, and don’t call me Shirley.

Complete with spaces. Good luck rainbow tabling that! But it’s easy to remember and type in, and it users upper, lower, numbers, and punctuation.

8

I like **Bricker’s **but for something shorter, take the first letter of each word and mush them all together.
Sycbs?1asadcmS
Really, really hard to brute force, impossible to remember, but easy to figure out when you need it.

The password thingee on our machines doesn’t allow me to use spaces.

I invoke a pox on the people that set it up so that I can’t come up with a single strong password and use it everywhere due to conflicting policies (as in the OP).

9

Been there, done that. **Köh… Is it thy will, thy image should keep open. My heavy eyelids to the weary night? **… case sensitive, with punctuation and spaces…I used to just switch on to the next few lines when required, with a different throat clearing sound at the beginning.

I sometimes use epäjärjestelmällistyttämättömyydelläänsäkäänköhän as a part of the pass-phrase for non-domestic systems . It’s pretty easy to remember… and a bitch to guess at.

10

I use a variation of that, strenghened by making all nouns uppercase (I remember enough high-school German for that to be intuitive), thus making the mix of upper/lowercase less predictable. Insert the number of letters in the last word of each phrase/sentence to satisfy the common “must include at least one numeral” rule.

Example: “When criminals in this world appear / To break the laws that they should fear” → "wCitWa6tbtLttsf4

11

I long ago gave up trying to remember any passwords other than the few I use regularly. I put them all into a file (along with any other login info I may need, such as ID codes, answers to password hint questions, etc.) and password protect the file. That way I only have to remember one password. There are also a number of freebie programs which will do this for you.

12

Ah, what an appropriate thread, as I just changed my password an hour ago. I hope I remember it on Monday.

We had an interesting situation at work a couple of months ago. We have to have three things, a user name, a systems password, and a Windows password. The systems password is short, in the form 1aaaa. (A number followed by 4 lower-case letters.) That alone was sufficient to log you into any system. It functioned as both user name and password.

TPTB decided that that was not secure enough. Anyone who administered a system had to change it to user name/Windows password, which has some additional strength requirements. My office mate made the changes and tested them – everything worked. I copied her code to another application, and everything worked. We put it into production and all was well. Once in a while we got a call from someone who could no longer get in. They were trying to use user name/systems password. When we told them to use their Windows password instead, they were OK.

Except for one person. We told him again and again to use the right password, but he just didn’t get it. Moron!

Make that two people. One, two, five! Five people couldn’t get in. How many more were there going to be?

This was on a Friday and the guy that wrote our new XML call was unreachable. We had to figure out what was going on.

I looked for similarities among those five. All in the same department? Nope. All at the same site? Nope. All using the same app? Nope. All with the same last initial? Nope.

I got curious as to the nature of their passwords themselves. Was anyone using strange characters such as !, %, or ?? Nope.

The format of my password was Aaaaaa11. My office mate’s was AaAaa111. We checked out someone else’s, 11Aaaaaa11. They all worked. So I asked some of the five problem people. Aaaaaaaa1111, aaaaaA111aa, 1111aaaa1Aaa. They all looked very normal, and worked to log into Windows.

I’ll let the Doper sleuths figure out what to us should have been obvious but wasn’t.

13

What I do is take a long quotation that I know by heart, grab the first letters, and do a mild “l33t-sp3@k” translation of the letters left. I don’t go all out and 1337 everything, just certain letters that I can do out of habit.

Edit: And yeah, Bookkeeper, for those where I can’t do that or have to change too often - and where it may not even be obvious what my username is, I have a program that stores that kind of info for me.

14

I’d like to get on board with this rant. I have a system using a stem word plus a set related words, and sometimes numbers and punctuation, and some mnemonic devices. It’s about as easy to explain as the structure of the British government but it works pretty simple for me.

Except on one system. You see it’s too long. They demand I use a capital, and a number, but it can’t be longer then 8 characters, and that just busts my system. Further it angers me because I can see no reason for this, other than bad programing. Can’t be having people with passwords that are too secure now, or not secure enough. The system was designed by Goldilocks.

Another thing I hate is being auto logged off if I’m idle too long. I’ll log my god damned self out. It’s this stupid AJAX piece of garbage for school. I have to post on it a total of like 8 times a week. Problem is I like to take time and think things out before posting, and I’m not typing while I think. If it logs me out my work is gone, because the back button doesn’t work with their garbage AJAX. If I know it’s gonna be a long post I’ll type it out in notepad, but sometimes I forget, or have to go the bathroom, or something, and come back to a log in page and this feeling.

15

So close yet so far. My company won’t let me use one of my 10 previous passwords or anything from the last six months. Foiled again!

16

That’s where the progression
password1
password2
etc. works for me.

17

This is what I do, except the number represents the month. So at the 1st of the month, change all your passwords. Your core password doesnt change so easy to remember.

cha-ching!

18

For all those who are bitching about passwords, you ought to be thanking your I.T. department if security matters to you at all.

We recently hired a security company to come in and check our network. They sat down at a PC logged in as a standard user. Within about an hour they had access to just about the whole damned system. We had ok password requirements, 8 character, a cap and number required. I’ve got a pretty good idea of what they did but it was faster and they got in deeper than I expected. After that our password requirements were upped. The second time around they didn’t get in from passwords.

Of course, these guys and gals were security experts and had access to a logged in system. However, they are on the same levels as the hackers/crackers out there. If they can do it so can the bad guys.

This pw requirement change caused a lot of bitching and a ton of work for us IT folk. The first week all we did was reset passwords. Now it has calmed down and we are back to changing passwords every once in a while.

Oh, Bookkeeper, you do realize that hacking a password protected file is rather trivial right? There are tons of free programs out there that will get you into Excel/Word files without a whole lot of effort.

Slee

19

Except how the fuck do you expect people to remember a dozen passwords that change every few weeks and can’t be easy to remember?

The human brain doesn’t work that way, so they have to write it down.

If you make the authorized users hate your security system, they’ll work around it. A strong security system that people won’t comply with is worse than a weak security system that they will. It doesn’t do any good to require a really good key to the safe door if they just prop it open.

20

Lemme guess: they didn’t sync the maximum password length, eh?