That wouldn’t have worked at my last job. When you changed passwords, you couldn’t have the same character in the same position as your previous password. For a while I used a similar system, though; I had a post-it on my computer with a random string of twenty different characters on it and whenever I had to change passwords I would pick a starting point on that string and use the next six characters (looping back to the beginning if I’d selected one of the last five characters). Then all I had to remember was where I’d started.
Apparently I’ve been lucky. I’m forced to change all of my passwords once a month (except, oddly, for the laptop encryption, which never changes). But there are no elaborate restrictions - it just needs to be at least eight characters long. So I use the increment technique; I have a random base word (for (a not real) example, “bicycle”) which I add a three digit number to the end of and increment it each month. Bicycle219, Bicycle220, Bicycle221, etc.
The only exception is my unix password, which forces me to make at least five of the characters different. So I change it to “temp1234”, and then immediately change it again to this month’s standard password.
Storytime - when my company first started to get serious about security, we had a large meeting to talk about the new encryption that we were being forced to take. Previously we could view customer’s PINs and passwords directly by looking at a particular mainframe table (which was very handy for debugging, let me tell you). So there’s a huge group of people waiting for the meeting to start, and a view of that table of a client’s production database was up on the screen. The encrypted passwords now looked like garbage, of course, but the interesting part was that the password hints were still in English. We spent the next 15 minutes or so having a blast speculating about what the password could possibly be based on the hints. There was some really bizarre stuff in there.
To log in this morning, I had to:
- Enter a hard drive password
- Enter a Windows password
- Enter a password to get into my company’s email
- Enter a password to access the client’s windows emulator
- Enter a password to access the trouble tracking system
- Enter a password to get into the Oracle database
- Enter a password to get into the client application
- Enter a password to get into the Unix system
- Enter a password to get into the timecard recording system
- Oh, and tho this is technically optional (from the employer’s perspective, not mine), a password to access my personal email
I will have to re-enter the Windows emulator password numerous times today as my connection times out, too.
All of these are different. All of these (except the hard drive password) must be changed on varying schedules, with varying degrees of re-use allowed, with radically different schemes. I spent all day trying to get my Unix password changed, as the old one had expired, the rules had changed, and every variation I tried - which explicitly matched the instructions that it must be 14+ characters and some combination of special and alpha and upper and lower and numeric - failed with a message saying “must be 14 characters or longer”. I finally guessed that the problem was the special characters. You see, despite them being all of the same specials I had used in the previous password (though different positions), the system no longer liked them. But did it say that was the problem? Nope. I finally tried some different characters and it worked. :mad:
It’s beyond ridiculous. There’s no way for a human to remember all of these, so they have to be written down somewhere. Which sorta compromises the whole “security” idea.
And then there are all the passwords for online accounts. I can’t complain about those too much, as they don’t change that often, but still…
You all made me feel so good about where I work. Two or three passwords, they can all be the same thing, they only seem to be changed when we hire a new CIO.
Strangely, no serious security violations to date.
Did you password protect the excel file?
Our company requires us to change once per month. I have noticed that the issue with passwords is not people writing them down that makes the security breach- It’s dumbing down the password.
For example, I used to use a password like this:
!Q2W3#eff
Now I use one like this:
spit1
Next month it will be spit2, then spit3, etc.
So I ask: Is it better to have one complex password that you use all of the time, or is it better to have a simple one that is changed frequently, but could be cracked by a 4 year old?
Stupid rotating passwords.
I love using sentences for passwords. I do the “first letter” thing. “I do believe in faeries, I do, I do.” becomes “Idbif,Id,Id.” and then you just tack on a number. I love picking out sentences and my hints.
Right now I think only a few of my school things require me to change passwords, but those are only every semester. I just pick easy things for those.
Complex passwords are rather pointless if they aren’t sufficiently long. There are a number of software packages that will crack any password less than N characters long, where N varies with the operating system and is constantly increasing as computers get faster, disks get larger, and cracking algorithms improve. Microsoft’s LanManager authentication is particularly vulnerable. Even 14 character passwords may be vulnerable if the company uses LanManager authentication to ensure compatibility with older systems.
I just joined a new project (freelance consultant).
Two new network userIDs. For Company A and for its subsidiary, Company B. Why doesn’t a single one suffice? No idea, I’m a Computer Person but not a network expert. And oh yeah, I need them in order to access different shared drives.
Three new email accounts. For each of those companies, plus one for the Consulting Firm.
Each has different password requirements.
So basically now if you can figure out the password to my laptop, all you have to do is rummage around a few files… at least the passwords are all of the kind I can “codify” by writing down a reference rather than the password but hot damn!
Oh, and since I’m “external” and the boss doesn’t like email, my leave has been approved only verbally. If boss tries to make a fuss about it I plan on having a sudden attack of The Deaf.
My Dad cottoned onto the idea of using paper headlines week to week, when IT sent him a list of his past passwords to make sure he chose a different one he was amused to receive a news digest instead.
Drat! We can’t bring USB anything into the building for fear of folks smuggling stuff out. One of the tradeoffs, I guess, as we do have many freedoms.
I’ve been leetspeeking the names of old D&D characters and surnames from whatever book I’m reading at that time. The thing that annoys me is that the passwords for different things change at different times/are always the password you originally set them to/get changed when the Windows password changes.
It’s always ‘fun’ to see my tools starting up and asking for my password and thinking “Well… hmm…”
And of course, my usual password is quite difficult to guess. It was made that way. Specifically it was made that way because it’s my old college computer account password. I couldn’t figure out the arcane dance to change it to something reasonable when I got it, so I had to carry the little scrap of paper that had it printed on the front. Eventually I just memorized it on a walk to my next class and I’ve been quite happy since.
ISTR Microsoft said it was of medium strength when I made a hotmail account.
Now the school’s online system (I have to check a few things once in a while, like if I need to order a transcript) requires at least 8 characters including at least one uppercase letter, at least one lowercase letter, at least one symbol, at least one number, and no word or fragment of word or name or anything else, even in leetspeak. So something like g0lff4n would be right out.
This of course means that the password they generated for me originally is not acceptable. :rolleyes:
Do they really enforce this? Many cellphones, PDA’s, music players, digital cameras, etc. all have USB capabilities now – do they really tell employees they can’t bring any of those into the building?
And how would they enforce it, if they really wanted to?
USB memory sticks are so small they could easily be concealed. It would take a full strip-search, including body cavity checks to catch someone who was trying hard to sneak a USB stick inside. And they are being built into all kinds of things. I’ve seen USB memory built into a ballpoint pen, and into an ornamental pendant. It would be really hard to check all of these possibilities.
Sounds like yet another ‘rule’ promulgated by Security Staff, knowing that can’t really enforce it, and without any real intention of actually enforcing it, but on paper it looks like they are doing their job. And rules like that are handy whenever the company wants to get rid of someone – they are fired because of this violation of company security rules, nothing to do with their race, or sexual orientation, or recent union activism, oh no.
…Heh.
We can bring cell phones in, and iPods and the rest, but we can’t bring their USB cables. The only USB items in the building need to be vetted by Our Tech Dude, who doesn’t do strip searches but very likely does have an alert on his computer whenever an unapproved USB device is plugged into one of the computers.
It’s a very serious rule. I work for a (very) large video game company. I have little doubt that developers are allowed to bring in USB sticks and laptops where I can’t, but I’m a grunt and they’re in another building in another state. In the grand scheme of things, my work environment is remarkably friendly and warm – we have the occasional half-day spent at Dave and Buster’s, comfortable chairs, and otherwise generally relaxed attitudes.
Another password silliness anecdote:
To access the work network remotely, we have VPN software which, of course, requires a password. Due to the security rules, it’s never something easily rememberable. But that’s OK, the software saves it for you. Except, it’s easy to accidentally uncheck the “save password” box which wipes the memory.
So you have to re-enter it. If you mess that up, the password gets locked out and you have to call for a reset.
There’s a nice automated system where you can have the password reset by phone. Only, the system doesn’t tell you what it is, it emails it to you.
To access the email, you have to get to the network.
What’s wrong with this picture? :smack:
As it happens, there is a way to get the password - it involves a completely different set of menu options, speaking to a human via a very bad VOIP connection to India, waiting on hold while that person leaves the password on your voicemail… then you retrieve the voicemail message. Which of course is nearly unintelligible because of the aforementioned bad VOIP connection.
Lucky! I had to first build a computer using nothing but part of the cardboard box that six of us lived in, the rocks on the ground, the occsional soda can tab that someone discarded, and an earthworm as a memory chip. Then my password could only be entered by the earthworm’s wife, which required me to take a course in earthworm language, but since we had no money I had to walk 20 miles to the local university and stand in the snow outside the classroom window while the teacher taught the class. Occasionally I could even see the translations she wrote on the chalkboard!
For additional security my father would beat me while I was whispering to the earthworm’s wife, so she would screw up my password anyway, which didn’t matter because the earthworm thought I was having an affair and refused to let me log on even with the correct password!
And MEBuckner, your shit was funny. I laughed. 