Grr!! Do I REALLY need a case sensitive password 8 characters long??

[hansel]

Dead_Badger:

Obviously, setting unreasonable password requirements that cause even well-meaning users to resort to writing down their passwords is just as stupid

I’m a security guy, and I write down my passwords. Bruce Schneier says it’s okay to do so. Just don’t leave it stuck to your monitor. Keep it in your wallet or purse, which you’re already well-trained to keep secure. The greatest danger from someone guessing your password isn’t logging on to your computer while you’re in the shitter, it’s using your account for remote access to the corporate network, from where they leapfrog to other networks or attack further accounts from the inside by exploiting other vulnerabilities like OS rootkits or routers (the massive TJ Maxx hack involved installing a trojan on the router in front of the database and sniffing all the unencrypted traffic that was, in the database, very securely stored).

We’re in an uncomfortable period where the requirements for a reasonably secure password exceed what can conveniently be remembered, but before we move on to devices like swipe cards or one-time password devices (e.g., RSA SecurID token). In a couple decades we’ll likely be using fobs of some sort, if not eye scanners or rectal probes for far greater security.

MEBuckner:

The logic of saying you “can’t use a word”–even some really random word, like “zoetrope”–is that it would be vulnerable to a “brute force dictionary attack”. But with any password system worth jack shit, wouldn’t that go something like “aardvark…aardwolf…Aaronic…aasvogel…abacus…You’re account has been locked for repeated password violations. Please contact the system administrator to have your password reset”?

Logging in is one way to brute force passwords, but there are many scenarios where the password file can be stolen, and your dictionary passwords tested at leisure without a login throttle slowing it down. There’s also rainbow tables, which are pre-computed hashes of passwords up through 7 characters (hashes being how they’re typically stored). At 8 characters, the size of the rainbow table is prohibitively big, which is why the 8 character minimum.

Windows 2000 had a famous vulnerability where it stored passwords greater than 7 characters in length as a concatenation of a hash of seven characters + a hash of the remaining characters. If your password was ‘password’, it would hash ‘passwor’ and concatenate that to a hash of ‘d’. It’s like they were trying to accommodate the limitations of rainbow tables as an attack vector.

[Anaamika]

[quote=“hansel, post:61, topic:372151”]

Dead_Badger:

We’re in an uncomfortable period where the requirements for a reasonably secure password exceed what can conveniently be remembered, but before we move on to devices like swipe cards or one-time password devices (e.g., RSA SecurID token).

I have a password I have to change every 60 days and an RSA SecurID token. And that’s just to get on the computer. I have multiple passwords for the different programs I access.

Bring on the eye scanners, please!

[ataraxy22]

I usually use this as my password: ZomB1e1234.

[Aji_de_Gallina]

Shakes:

If it weren’t for all these fuck’n passwords clouding up my brain, I’d probably be able to work out a viable plan for peace in the Middle East!

I’m going to steal this quote.

PunditLisa:

AHunter3:

Passwords that people can’t remember except by writing them down on post-it notes are pretty damn useless.

Amen. In their zeal to be more secure, they have made it ridiculously insecure. Give me 60 seconds at a co-worker’s cubicle and I guarantee I’ll find their password list. (Probably in their right hand drawer. Using the key that is under their keyboard.)

Particularly because they are labelled “PASSWORD”.

Cubsfan:

I’m in the military and my password must be FIFTEEN fucking characters long, have 1 uppercase and 1 lower case letter AND 1 special character, can’t have any words in it and it can’t “look like a word” like 100k or other leet gibberish.

Oh, we have to change them every 90 days 2 and can’t reuse the same password within 20 changes.

I forgot to add, if you think I work on some classified system you’re wrong. I’m in grad school at AFIT and these computers are stictly on the .edu domain.

Fucking retarded.

But…in the movies, when you access any military computer you can fire nuclear missiles!!!

[carnivorousplant]

ataraxy22:

I usually use this as my password: ZomB1e1234.

Is that the one you use for the SDMB?

[Lightnin]

Chimera:

Very easy.

“June2010”
“July2010”
“Augu2010”

This is the best solution, in my mind. Change it monthly whether you’re required to or not, and you won’t ever forget it. Of course, it’s easy for someone to guess this, so it’s not real secure… but to fight that, all you have to do is add in something unique, like a few letters/numbers that never change.

[Harmonious_Discord]

1. They don’t let people write down the passwords on paper.
2. They generate new ones every 30 days.
3. The oldest employee is covered in over 100 crossed out alphanumeric tattoos.

[Anaamika]

You’ll not find my password list anywhere on or in my desk. L)

[running_coach]

anaamika:

you’ll not find my password list anywhere on or in my desk. L)

11eeeeeewwwwww!!!

[Sailboat]

Sierra_Indigo:

I feel your pain there Jjim. My list is just as bad… To start off with, there’s the WinXP/computer login password. Min 8 characters, case sensitive and needs at least 1 number. Then when I’ve logged into the computer, there’s at least 14 unique programs that I have to get into each day in the course of doing my job. And Every. Single. Program has its own unique password requirements. Some will accept the 8 letter + 1 digit format that my main PC login uses. Some just want between 6-8 characters, any characters. No upper case or numbers required but you can use 'em if you want. A couple require a 10 digit password that includes at least 1 special character, 1 upper case character and 1 numeral. Certain dictionary words are not allowed in some systems.

But the number of different password requirements I can deal with. That’s not a problem. What is the problem is that every system also has a different timeout period for the passwords, and different restrictions on how quickly you can reuse a password. My computer login is 90 days. Some systems are 30 days. One system, for god only knows what reason, is 45 days. Two systems I use have never asked me to change the password. There’s one with a 60 day timeout. Some systems won’t let you use the same password until you’ve used at least 6 others. One will let me go through four and then go back to the start. One system won’t let me use passwords that are “too similar” to ones I’ve used before (meaning at least 50% of the password has to be different to the other passwords I’ve used). Others will accept the /same/ password straight away, but you’ve got to go through the bullshit of “changing” it when the prompts come up, or else you get locked out of the system after it expires. It’s nuts. When I first started at this company, I set all of my passwords to variations on a similar core password. Two years later, and I’ve got at least seven or eight completely different passwords due to the completely insane system requirements.

This pretty much mirrors my experience as a gov’t contractor.

[bouv]

The next time the people I work with complain about having to change their passwords, I’m going to show them this thread. Only two passwords, and very loose requirements:

1. Changed every 90 days, can’t be one of the previous…6? I think?
2. Has to be at least 8 characters, and contain one upper, one lower, one number, and one punctuation.
3. Uhhh…that’s it.

Oh, and one of the two passwords never has to be changed, it’s the same from day one unless you want to change it or need it reset.

The first (non-changing) password is for the university email, computer login, and online things like the PeopleSoft human resources website, and the BlackBoard online class website.

The second (changing) password is just one our department has, it’s for logging into Citrix, and then for logging into a program we use in Citrix (yes, the program is designed to use the same username password as the Citrix login, and changes automatically with it…why it can’t just log in to that program with the username and password for us I’ll never know.)

Even with the relative ease of our password system, people bitch and write them down. I mean, really? You can’t keep two passwords memorized? Hell, if you want, you can manually change the first one so it is always the same as the second one and then it’s just one password to memorize!

I’ve also got a nice system that I clued the others into to ease their bitching…just change one thing about the password when you have to change it (ours lets you get away with just one character changes, I realize some don’t.) For example, let’s say my password was:

BonerCity69!

After 90 days, I can just change it to:

BonerCity69!!

And then another 90 days:

BonerCity69!!!

You get the idea…just keep adding exclamation points or a random number or letter until you get to the point where you can reuse the first one and start over again.

[Guinastasia]

runner pat:

11eeeeeewwwwww!!!

Hey – how did you figure out my password?

[Dag_Otto]

runner pat:

anaamika:

you’ll not find my password list anywhere on or in my desk. L)

11eeeeeewwwwww!!!

Don’t be so shocked. Not everyone is going to pick the eye scanners over the rectal probes.

Eye scan for me, please.

[StarvingButStrong]

[quote=“Dag_Otto, post:73, topic:372151”]

runner pat:

Eye scan for me, please.

Oh, sure, be all protective of your asshole.
Wait’ll they find out in ten years that the eye scanners cause cancer of the retina.:eek:

[Mk_VII]

I had about forty in the firm I used to work for. All requiring different formats, and some went for 30 days and some 90 days and some never … Of course I wrote them down. I had a table form written out in WORD which I printed out and wrote the new ones on every month or so. Eventually I got tired of doing even that much and just stored the whole thing in the PC, after loosing the piece of paper around my desk once or twice.

[BobLibDem]

Mandatory Dilbert Cartoon Our agency requires 8+ characters, chosen from at least 3 of the following sets:
upper case
lower case
numbers
characters

The password must change every month and must not be reused within a year. I’ve seen people paste post it notes with their passwords on their PC.

I wish Windows had an option where you could tell your computer: Hey, computer! Nobody is looking over my shoulder! Go ahead and show me the password as I type it in, you don’t need to hide it from me.

[Tom_Scud]

I tend to use the first letters of an easy-to-remember phrase, with leetspeek replacements for words like “to”, “for”, etc. So “To boldly go where no man has gone before” becomes “2bgwnmhgb4” - throw in an exclamation point or capitalize something at semi-random as needed.

[Green_Bean]

As annoying as leetspeak is, we can thank it for giving us an easy way to get all those numbers and special characters into a password.

[Dag_Otto]

Mk_VII:

Eventually I got tired of doing even that much and just stored the whole thing in the PC, after loosing the piece of paper around my desk once or twice.

I resorted to storing passwords on the PC once, but I split up the information into three sections.

1. A list of the names of the system or site the password is for.
2. A list of the usernames associated with the system.
3. A list of passwords.

One of these was stored on my PC.

One was stored as a text file located on the hosted storage space from my ISP, and I could access it with a web browser. Actually, anyone could if they knew the address.

One was stored on a USB drive I carried around.

I think I might have even had a cross reference matrix, as the lists didn’t correspond one for one. System 1 might need username 6 and password 13. I suppose if I did it now I might encrypt or password protect the files or thumb drive for even more security, but the idea was that if one was compromised it wasn’t enough to access the system.