Every six months! Every six months this imperious e-mail demand that I change my HR system password to some new, cryptographically secure, pseudo-random alphanumeric string! Every six months I have to go through the damned verification process, spit out my staff id #, my phone #, the last four digits of my bank account #, my fucking blood type, whatever, to change my fucking password for the online HR system! I can’t do it anymore. You’ve broken me. ME. I remember the phone number of the house I grew up in and haven’t laid eyes on in over twenty years. I remember the student number I used as an undergrad and haven’t needed to use in twelve years. I remember my Social Insurance Number, my Social Security Number, my wife’s Social Security number, the 13-digit PIN for my calling card, the four different passwords I currently use for multiple e-mail systems, Unix logins, and bank accounts, pi to 35 digits after the decimal point, e to 15, the cube root of 2 to 9 digits for no goddamned reason, Jesus Christ I know the fundamental group of the Whitehead Link complement[sup][/sup] by memory!* Dare I say it, but I am pretty close to an expert in the not-so-high-paying field of REMEMBERING USELESS SHIT, but I have to write my goddamned HR system password on a slip of paper cleverly hidden in my office, because I can’t remember a goddamned random string of digits that I have to change every six months but almost never use!
That’s right, never! All I use the goddamned system for is requesting the occasional leave! But apparently that’s such a fucking high-security operation that it requires stricter password security than my fucking bank accounts, security so goddamned strict that’s it’s self-defeating! Congratulations! You’ve foiled all possible intruders, including ME, except that you haven’t because I have to write the damned password down, so anyone who can get into my office might be able to…gasp…REQUEST LEAVE IN MY NAME! Leave which my supervisor has to approve of anyway! My supervisor, who knows me personally, and would ask me “Say, are you going somewhere” if someone tried to request leave for me to JESUS CHRIST I CAN’T EVEN THINK OF A REASON WHY THEY’D DO THAT!
Although I realize the password isn’t really used for much (requesting leave or whatever), you probably shouldn’t have actually posted it on a public message board.
Our timecard program is now accessed using our ID card - the kind with a chip within - and a password that (knock wood) hasn’t had to be changed since I got the card. The card slips right into a slot on the keyboard, so entering our work hours or vacation requests or other such things is quite simple. That makes up for the 47,829 other passwords and PINs I need to remember.
You have my sympathies. It sounds like someone took a computer security class far too seriously.
Ours happens way more often than every six months. We have 4 different passwords (not counting the voicemail.)
At least now they have made it so the security requirements are all the same, so I can use the same password for all 4 different systems. For the first two years of my employment here, we had 4 different passwords and they all had unique requirements for forming the password.
I’ve said it before in my office. IT thinks they are being very secure by requiring 10 characters with upper and lower case, including a number and a symbol, but in fact, since they are creating a password that nobody can remember in their head.
Therefore, they write it on a little post it note and have it, if not taped to the bottom of their monitor, then in their top desk drawer. Not very secure at all…
Oh…the password list. I have seven or eight at work. One of which is a four digit number, and two which change every six months.
I try to make it something I will remember rather than a string of random letters or whatever. So when we had an IT guy visiting doing some fixes to bugs in a new software we had installed he tells me, “Your password is too complicated.”
Isn’t that the point?
Of course, it’s all moot anyway, as we have to email our supevisor with our passwords. :rolleyes:
Six months? That’s nothing. The company I consult for requires 3 passwords, 2 of which must be changed every month, can’t be a password that I’ve used in the past 2 years, and have to include a letter, a number, and a symbol. The third password is one o’ those SecureID thingies that change every second.
I’ve gone through every password I can think of in the past year, and have resorted to using swear words. ‘Fuck8*’ or ‘GoatFelcher0!’, that kind of thing (no, those aren’t my real passwords, but you get the idea.)
Really, these companies are shooting themselves in the foot. Nobody can memorize those kinds of passwords, so everyone just writes 'em down somewhere. What’s the point?!?
My password needs to consist of capital letters, lower case letters, numbers, and symbols, be longer than 8 characters, and it gets changed every 6 weeks.
Also, my computer locks up after 2 minutes of inactivity, and I must re-enter the password.
I also have two critical applications that have different password requirements than above, and one of those changes every 3 months, while the other one changes every 4 months.
At work I have to remember my:[ul][li]Laptop HD password[/li][li]Network password[/li][li]Webserver password[/li][li]Commerce server password[/li][li]Test client password[/li][li]Test webserver password[/li][li]Test commerce server password[/li][li]Staging client password[/li][li]Staging webserver password[/li][li]Staging commerce server password[/li][li]eDM server password[/li][li]Timesheet server password[/li][li]VPN remote password[/li][li]Webserver logs FTP password[/li][li]Bug tracker server password[/ul]Some of these have to be changed every SIX FUCKING WEEKS. We’re having an HR system put in at the moment, so no doubt there’s another one coming along, and the accounting system requires two different passwords, but I have so far managed to avoid them.[/li]
I have not yet resorted to post-it notes on the monitor, but it’s only a matter of time. The worst circumstance, which happens all the time, is when I change the password first thing in the morning before my third cup of coffee - invariably I have to go to IT for a reset later in the day because my cleverly-chosen word or phrase just wanders out of my brain forever.
I think swearing passwords are a great idea - except I did get embarrassed a few weeks ago when one of the IT guys needed my network password and I had to tell him it was “wast3d”.
For example, the following line was a recent password of mine:
Firefly was my #1 favorite show before Fox canceled it.
I don’t know how that would fly on applications, but as an Active Directory password, it works great, meets complexity requirements, never gets stored as an LM hash because it’s too long, and (at present) is practically invulnerable to a rainbow table-type attack.
Screw them…I’ve decided that it’s all BS anyway so I just pick a letter and start with either 1 or 9. Hold down the shift key for the first 4 characters and the rest just fall into place. So for example if I picked the letter m and started with 9 this time, my password would be
M(M*M&M^m5m4m3m2m1
Since our passwords have to be 18 characters long, have two upper case, two lower case, two numbers, and two special characters, cannot be any of the last 20 passwords and changed every 45 days, this is the best I can do that doesn’t have me writting it down.
Now there’s an idea I can get behind! However, my phrase would be more like, “Hey you loser cocksucker secret handshake assholes! You can bet I remember THIS one!”
RIGHT! <Monty Python>
My password has to be 15 characters long, and consist of a font that I have devised myself, written in Tagalog. I have to change it every 2 days, and if I enter it incorrectly, my computer explodes. </MP>
You’re responsible for whatever pseudo-random alphanumeric string you want to use for the next six months, yes? If so, do what I do: use zip codes. The passwords we use to access the network at work not only need to be changed every six months, we’re also not allowed to re-use any password within four years. These passwords be at least 8 characters long and must contain at least one of each: capital, lowercase, number, non-alphanumeric (i.e.: punctuation). My passwords look something like 60606-6336iL (not actually a password I use).
I would like to take this opportunity to express my appreciation to my department, which, when given six databases with password capability, set five to blank and made the time sheet password the last four digits of our SSN. The idea being that you had to log into the network to get to the databases, so the network password and the door code to get onto the floor were more than enough security and more than enough to remember.
They also let the email password be permanent, rather than updatable. The network password has to be updated every quarter and the citywide accounting database password updates sooner. Also you have to petition to get access to the accounting database and permission is given one page at a time. . . if you can convince them that you need the access. Further security is provided by the policy of there being no training or handbook available for the system. But that’s not my department.
In my department, they had the opportunity to slap a bunch of passwords on us, and they declined. Cool beans, guys.
It’s easy enough to come up with a word of the required number of characters and substitute random capitals/numbers/special characters in the mix.
[But by all means, continue bitching about passwords. It’s very cathartic at times. I just had to change my network login yesterday and I’m still having trouble remembering that I changed it (but not what I changed it to.)]
We don’t have that yet, but we’re about to have something based on CAC to handle building and computer access.
As for the OP - yeah, someone in your company’s taking this too seriously and is doing a really craptacular job at it. You probably don’t want to know that thanks to the minor miracles known as Active Directory and single sign-on, a lot of our systems have no passwords at all - they just automagically pick up your identity from the network.
But, it takes clever, or at least reasonably intelligent network administrators to set it all up. Sounds like your employer is a little short on clever.