Damn password expiration policies

The BBQ Pit
21

Yup. I work with doctors who do research in a clinic setting. These days, almost every study we work on has at least two different logins that you have to remember - one for the online training, one for the secure data entry portal. Sometimes two different online training systems for one study, or a separate system for the confidential documents on the study. Of course, few to none of them, even on the same trial, have the same login format or same password requirements, and some will randomly force you to make new passwords every 60 days or so.

(This in on top of our own medical center’s online training, which has a totally different login method from the E-mail or medical records access or your online research submission account. Or, for that matter, your online research training for the medical center.)

So a doctor who’s participating in, say, 6 different clinical trials might have to remember 12-18 completely different web addresses, usernames, and passwords just for those trials, and not including the stuff they have to remember just to be a doctor at our medical center, much less a researcher too.

Thus yeah, maybe every couple weeks or so I’m sending a password reset request to one help desk or another because, not surprisingly, one of our docs forgot how to log in to some secure website, and every now and then the tech support guy even CC’s me on the response/reset E-mail.

So no, I’m not surprised when people turn to things like writing down info or using a password vault. I have to do so for myself just to function in my job.

22

The solution to this problem is to use a dedicated password safe program. I use KeePass, which works on Mac, Windows, and Linux, and is free.

I have one master password that is very strong that I have to remember (but it’s just one), and all of my other password are randomly generated by KeePass to be as strong as possible. When I want to log in, I switch to KeePass, type in my password, and I see a list of logins (the usernames and passwords are not shown, but things like “Amazon” or “Mail server” are). I Ctrl+C on the one I want to put the password into the clipboard, then Ctrl+V in the password field.

KeePass is set to automatically clear the clipboard and lock itself after 1 minute of inactivity. The password file uses strong encryption to protect the data. The password file is backed up, and is shared via Dropbox, so if I make a change on one computer, it’s propagated to the others almost immediately.

Far more secure than a Post it and easier to manage.

23

<INPUT type=text name=pwd size=10 maxlength=10>

We changed maxlength to 20, and all was right with the world.

Congratulations! You win the sleuthing prize of $100! Go to www.smilingbanditwins.com to claim it. Your password is ***********.

24

I have 5 separate passwords at work, they must be changed every 30 days, and you can’t reuse the last 50.

I keep it simple. My passwords are taped to my monitor.

25

I am network admin and I have a shit load of passwords and I seem to manage with out too much trouble. Our pw policy is fairly tight but I have had much tighter (especially when I worked in the NOC at AOL). Most of our users will have a strong Windows password and maybe, at most, three other passwords. I have way more passwords than that, some of them I don’t get to make up. Ours last 90 days.

We make an effort to make the password policy easy to use and at the same time, secure. Sadly, they don’t go together that well. If there was an easy yet secure solution to this someone would get really rich.

However, since there isn’t an easy yet secure solution at this point they have to do what we say. Our data is way more important than any inconvenience the users might run into. Also, we do check under the keyboard, etc when we are out working with the users. Those that have the pw’s written down get a nice but firm talk about how they cannot do that.

I understand that it is a pain in the ass, but guess what? There are many things in life that are a pain in the ass.

My data is more important than the 5 minutes it takes for a user to get their password reset.

Slee

26

As I said before…I have no problems whatsoever with strong password requirements. I’ve got two passphrase/leetspeak combo type things that I use for the majority of my personal stuff. I have a few variations that I will tend to do depending on the particular password requirements of a server/service.

It’s the mandatory changing without being able to reuse that drives me bonkers. I can remember a few very strong passwords…asking me to keep what amounts to 10 or 15 straight in my head is just not going to happen…especially for things I only log into occasionally.

I probably should get a password vault for my phone or something, but if the passwords are very strong, there shouldn’t be a need to change them unless there’s been evidence of a security breach, IMO, or you’re working on some super-secret national security system.

27

Yup, the constant changing - and last I read, changing isn’t all that helpful because once a hacker finds out a PW they’re not going to sit on it - drives me berserk, as does the need for multiple password formats/requirements.

I don’t care about making the call to reset my bosses’ passwords. Not my money I’m burning since it’s a toll-free call (though the study sponsors must get annoyed after a while, and I hear the tech support guys say stuff like “we just reset this two months ago” - yeah, well, that’s the last time he logged in and he doesn’t remember it any longer), and frequently I get to talk to nice young men with Irish or English accents.

It pisses the ever-living crap out of the doctors I work for, though, since all of this junk (at least within each study) would ideally be handled through one “portal” login rather than 2-3 different sites creating a kludge of data and information. Plus then they gripe “what do you mean I can’t just change it back to my last password?” Sorry. Gotta be creative and come up with dozens of these. I’ve locked myself out of important databases after finding out - after lockout - that I only got 3 chances to remember my password. :smack: I’ve got about a dozen in memory of middling-level security and a few rather strong ones; it’s easy for me to blow through my chances that way.

28

I use a simple password system and it works like a charm.

Assume I want to use “Clothahump” as my password. I’ll change the first vowel to a digit, then insert the two digit month after the fifth character. So my current password would be “Cl0th07ahump”.

I change it on the first day of the month and I use that schema forever.

29

People won’t put up with it, though. They don’t see your data as being more important. Threads like this on how to thwart anything you do are all around the net. Heck, even Keypass is designed to thwart the security of having multiple passwords.

Security people seem to be more into trying make other people do what they want them to do, rather than realize what they actually will do. That’s a big mistake.

And I don’t see how what YOU can do is relevant. The least security conscious person on your staff is the person you have to be concerned with. The fact that you work in security is a pretty good indication that you are going to be overly security conscious, and willing to do a lot more than anyone else.

In my opinion, if your data is so precious that you need 12 passwords, you need to go to finger print readers and ID cards, not try to rely on people to use and remember those passwords. Those just create the illusion of security. You’re only as strong as your weakest link.

As for passwords in my personal life, I will continue to do what I was taught a long time ago–make something I can remember, not make up random numbers and letters and expect my brain to be able to remember it. My brain just doesn’t work that way. I don’t memorize: I LEARN.

30

I find series of things that I can use for passwords that will let me stretch out the time until I have to think of a new set. For example, ones that I used last year (and won’t use again) were Mercury1, Venus2Venus2, Terra3Terra3, Mars4Mars4, Jupiter5, etc. (word+number repeats until I get up to the minimum password length). It at least makes it likely that I’ll remember what the next one ought to be the day after I change it, until I get used to typing it in again.

31

It’s not that people don’t see the data as being important, it’s that they need to use that data to do their job. The biggest pain in the ass is when I need to access a file RIGHT NOW because the boss needs it. So I log in, only to be greeted with a damn password change. There’s not even an option to do it later, I have a five minute roadblock to doing my job because some IT security person has decided that a password is only good for 30 or 60 days. True, five minutes isn’t a big deal, but that’s just one password - I have at least seven that I need to keep up with.

If a 12 or 15 character password is considered to be strong, why the need to change it so often?

32

Yeah, this is what I do. I have to change my password every 90 days. It has to have at least 1 cap, at least 1 character and at least 1 special character.

So it’s Password!1, Password!2 and so on. All I have to remember is the number on the end.

If you have a second system that can’t have the same password as the first, make it something like Unpassword!1, Unpassword!2 and so on.

33

Until you run into the password rule that you can’t have more than 4 characters in common with your previous password. Whoever came up with that should be severely beaten. It breaks every memory trick I use.

34

My last job required me to change my password monthly and the new password could not have the same character in the same position as the previous 3 passwords, so neither of these systems would have worked there. It made coming up with passwords a real PITA, as you can imagine.

35

Verizon has an odd system. If you forget your username or password, you can enter your email and they send you a temp password.

After you log in with the temp password you have to change it twice. The first one CAN’T be any longer than 5 characters. And then you have to change it again. The final password MUST be 8 or more characters. After you change it to log in, if you put in the 5 char pw and it will not work until you change it to an 8 char pw. It’s odd since you think of a good 5 char pw for the first one thinking that is your new pw. And then you have to change it to a new one. It’s screwed me up more than once.

I use a password safe program on my BB Storm now. Fairly well encrypted to get into, and the info in it does not give up any info for what the password is for. Only I would understand that F is for a certain credit card company.

I’m a programmer/systems analyst. A lot of my work involves managing and converting data between different local in house DB’s. For behind the scenes I work through SQL management studio, I have the keys to the kingdom and regularly modify thousands of records with SQL. That’s part of my job. I was tasked with converting the data from the old DB to the new DB.

But I get this crap -

Me – “permissions are screwed up again, I need permissions to add and delete a record for testing through the application. I no longer have permissions, what’s up? “

DBA – “Why do you need to delete a record?”

Me:sigh: – “Testing”

DBA – “If you need to delete a record, put in a help desk ticket”

Me – “I need to test what tables are affected by such and such action. Need permissions so I can test action through the app.”

DBA – “What is the bad record? I will delete it”

Me – “It’s not a ‘bad’ record. I need to test through the front end. To do this I need to be able to add and delete a record to analyze the tables it touches. I can’t do this without credentials for the app itself, I don’t want to do it through SQL management, I need to see what the app does”.

DBA – “What is wrong with the record? You should never delete a record.”

GAAAAAA!!! This isn’t from some DBA in India. This is a person I know. I helped her physicaly load the servers into the racks.

All through this exchange I was very succinct a explained what I needed to do. But the DBA seemed to only read, or comprehend half of what I emailed. Really, DBA, I did all the data mapping and mining between the old and new systems. Data conversion is my specialty. Since I don’t have the .net code of the new system (third party), I need to at the very least be able test it to see what the hell it does before writing SQL and just pushing ‘Enter’.

12 freaking emails later, and calls to my boss and bosses boss I finally got the credentials (again).

Yesterday, I asked to have a new DB added (oh god, oh god, I suspect this will take 20 emails). I explained what the DB was for and who needed what permissions and that I would add the tables once it was created (I have credentials to create the DB, but went through the channels). I specifically said that I would add the tables once the DB was created.

Miracle of miracles the DBA added the DB, and I received this email from the DBA – “I created the DB, do you want me to add columns to it?”

Bwahh? Add columns? To what? An empty database that does not have any tables in it? Sheesss. Just because you can run windows update and schedule backups does not make you a DBA.

Sorry for the hi-jack.

36

These comments seem to imply that the password file on the system is not encrypted (disallowing the previous x passwords can be done even with encryption since you can just store the encrypted passwords), which suggests that IT needs to fix their systems in case a hacker is able to grab the password file.

37

Actually, I am not the security guy. I work with him but it ain’t my main job, I am a server guy.

If people won’t put up with it then they can’t access the network. Rather simple. We are trying to find that fine line between security and usability. It isn’t easy. Our users don’t have 12 passwords, at most they have four, though a couple individuals may have more for some specialized stuff (oddly, we never have pw problems with them).

At AOL we used SecureID. I’d love to put that into place but it costs too much. So we have to use what is available.

Password management is a fact of life these days. People need to get used to it. It isn’t going to change anytime soon. In my business we deal with very large sums of money on a daily basis. The possibilities for employee theft are really high. (Hint, it is a casino). Our passwords are as lax as we can have them while still being secure. Our job is not to punish the users but protect the information that is important.

It’d be nice if there was a perfect mix of security and usability but there isn’t.

Slee

38

When I hit one of these systems, my five minute delay can run into a fifteen minute delay or more. The worst part is this:

Enter old password: enters old password
Enter new password: enters new password
Re-enter new password: re-enters new password
New password invalid
It would be a huge help if the first step was to enter the new password and the system to check it to see if it is valid before I have to enter it again or enter my old password.

39

This is what gets me. Mandate a long, randomish string. Require 12 characters with no duplicates and at least 3 numbers and one non-alphanumeric symbol. Make the passwords strong, then leave them be.

My bank now requires passwords on online banking to be changed every 120 days. In addition to knowing my account number and password, if I’m on a public or shared computer, I have to enter the answers to three security questions. My browser cannot remember and auto-fill any of this information like it does many of my other passwords. (Yes, I’m screwed if someone steals my computer(s) and figures out the password into the systems. I accept that risk.) I am not telling anyone my password, even my mother with whom I live and who is a secondary signatory on all of my accounts for emergency purposes. So why does it need to change? If it’s not good enough to last, it’s not good enough, period.

40

Or they write it on a postit note and stick it in their desk. Do you do visual inspections of every desk regularly?