Passwords

The BBQ Pit
1

You know, I’m really getting sick and tired of having to have a password to do damn near anything I want. Even better, is that almost all of them have to conform to a different format. So this password has to begin with a number, contain a vowel and be more than five characters long, but not more than eight characters long. Another password can be either letters or numbers, but it must be at least eight characters long. A third password must be at least six characters, contain letters and numbers, and at least one of the letters has to be capitalized. A fourth password has to be eight characters long and must contain letters and have either 42 or 53 as the fifth and sixth characters. A fifth password must be eight letters, but those letters can’t be combined in any way as to suggest any words in the English language. And on and on it goes.

So how the bloody fuck am I supposed to remember all these goddamn passwords??? I can’t! Of course, I could always write them down, but that’s a no-no, and if I lose the paper where I’ve written them all down, I’m fucked. I’m also fucked if someone finds the paper where I’ve written them all down on uses it to “steal my identity” :rolleyes:. (Take a look at the size of my bank account and you’ll quickly see that the odds of anyone wanting to steal my identity are as near as nothing as to make no odds.)

Not to mention the fact that I live alone and that no one has access to my PC. Period. Yet, I still have to jump through hoops and set up all kinds of convoluted passwords just to check my e-mail, sign on to the net, or what have you.

What’s brilliant about all of this is that at work, I have to use about six different programs, each one has a different password. Of course, management doesn’t expect us to remember all of them. Nope, we only have to remember our log-in password and our log-on ID (The password we set, it has to be changed on a monthly basis, and our log-in ID is simply our e-mail address.), if we have that, we can simply go to a page on our intra-net, type in our log-on ID along with our Social Security Number and the system will promptly display all of our passwords for us.

One day it hit me: You know, its pretty easy to get an employee’s SSN, I wonder if I sign on using my log-on and password, if I then go to the “Security Application Page” and type in another employee’s SSN and log-on ID, if it’ll show me their passwords? Naturally, I have to try this out. Sure enough, it spits out the passwords of the poor schmuck who’s log-on ID and SSN I typed in.

For awhile, I debated if I should inform management of what I’d discovered. I mean, with the information I now had, I could really get a way with murder. I’m not talking about the old “Superman III,” nope, that’s small time. I could screw around with the system in a such away that before anyone had an idea of what the hell I’d been up to (nevermind who I was or how I did it) I could: A.) Buy some tropical island with half naked women that doesn’t have an extradition treaty with the US and retire there at the ripe old age of thirty-five. B.) Finagle things so that I ended up owning the damn company. Or C.) Both.

Finally, my “better” nature prevailed (remind me to tell you about the time my “better” nature compelled me to return a $10,000 Rolex to its owner who hadn’t even noticed it was missing and never would have known what happened to it, if I hadn’t called him up and told him he’d lost it) and I sent an e-mail to the boss explaining to him exactly what I discovered. To date, his response has been:

(No, that’s not a mistake, I ain’t heard shit from him.)

So, apparently, the “powers that be” ain’t too fuckin’ worried about it. So why the hell should I be forced to?

2

.
.
.
.
.
.
.
.
.
.
.
.
.
Um, sorry, I thought you just said your company keeps a list of everyone’s passwords for them, and anyone can find out what they are by putting in your e-mail address and your SSN. But you couldn’t possibly have said that, 'cause no company in the world would be that stupid, so it must have been something else…
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Were there naked women on a desert island somewhere in there?

3

Half naked women, Ducky. Let’s not get too greedy. :smiley:

4

I keep all my passwords written in a text file, of which I have a backup, which I keep encrypted with MD5, using a single pass phrase with a rather high entropy which I am not likely to forget.

But I somehow manage to remember all my passwords anyway :smiley:

5

Goddamned security through obscurity, otherwise known as pretending it will go away if we ignore it (the ostrictch syndrome). It’s related to false hubris: They’re too stupid to figure it out if we don’t tell them. Obviously wrong, but still the de-facto security method of the corporate world. MS securty is based on obscurity, and look how good Quality Microsoft Software is at preventing script kiddies from exploiting stack overflows and the like. While Linux, which has no history of major exploits going unfixed for farging years on end, is ‘a threat to national security’ because it gives crackers a tool they don’t need (and probably couldn’t figure out how to use, most of them): The source code, which is indispensible in actually fixing the security holes.

:rolleyes:

Hell, MSFT makes my whole case for me right here: http://slashdot.org/article.pl?sid=02/05/20/2124248&tid=109

Open-Source Software is a threat to our war in Afghanistan while Microsoft code is too dangerous to be released to the public. I don’t think I could roll my eyes far enough without sending my optic nerves shooting out my nose.

6

Hmmm seems like you must do something about it since presumably anyone could do it. Someone could be sitting at their pc with your passwords on their screen.

With no management responce one might assume that the next goal would be to inform fellow employees to pressure management only by doing so you would no for sure that they now have access to your passwords.

Rock & hard place
Scylla & Charybdis

Just an A+ bitch of a situation. Anyway to remove all your passwords?

7

If the company you work for has an internal audit department, go to them - in most companies they have the resources (and the “ass” as a friend calls it) to make it known and get it fixed. If you don’t have an IA department, take it to your IT department - preferably the CIO or one of his/her direct reports.

8

Surely no-one would be stupid enough to create an email program that automatically runs attatchments.

Surely no-one would be stupid enough to use God as a password.

Surely no-one would be stupid enough to make all their employees passwords available to everyone.

:

9

How important are these passwords? If they’re just there to satisfy some policy, and no-one cares if you use each other’s pcs, etc, it’s not a problem, but otherwise get yours off if you can, and

a) retire to the island

b) draw bosses and/or IT’s attention to it pronto.

Don’t be temped to have fun bringing this to people’s attention unless you are sure your company has a sense of humour.

10

System: please choose a password
Me: Penis
System: The password you have chosen is too short.
Me: Vagina
System: Press enter to proceed or cancel to abort.

11

Yep multiple passwords can be a bitch. I try to keep work and personal passwords separate. Then go with a theme. Say, actors from a favorite movie, or items in your bedroom. Whatever, make sure it’s 6 characters, insert a number. Works for most stuff. Still I agree, its a pain.

12

I keep all of my passwords in a secure application on my PDA; secure because it’s encrypted and password protected.

13

A. Definitely A. C does hold some appeal but owning a company sounds like too much work.

14

Damn near impossible for the following reasons:

A.) Something like 50,000 or so employees have access to the same set-up as I do, and there’s no way I could inform enough of them that they’d be able to make a difference.

B.) Management’s solution would no doubt be to fire me.

C.) A significant portion of them wouldn’t be able to grasp the importance of what I’d be telling them.

How important are they? Well, not only do the programs give me access to information that would allow me to totally wreck the company’s finances, they also allow me access to important information about our customers. You know, thing’s like their SSN, addresses, credit card numbers, checking account numbers, and other such things. So, not only could I rip off my employer for literally billions, I could also rip off millions of Americans, and get away with it. As for me getting my passwords off of there, I can’t do it. I can change some of them, but not all of them, and considering the bewildering complexity that some of the passwords have to adhere to (the examples in the OP are actual password dictates from work), I’d never be able to remember 'em all. (And yes, I have told them ways to allow employees to have secure access to the programs with no convulted passwords and more security than they currently have. Again, the response has been silence.)

Good idea, but I’ve told one about it and he apparently doesn’t care. Assuming any of the others would, I’ve no idea as to who they are, nor how to contact them. (The place is very compartmentalized.)

Which is fine, until your PDA conks out on you. Hope you’ve got a back-up list somewhere.

15

…which works great until the PDA falls out of your shirt pocket into the pond while you’re feeding the ducks…

:smiley:

oops

16

But have you told them this outright? Sometimes it takes a knock over the head for certain managers to put two and two together and get four. Apparently all he’s coming up with is what he gave you: nothing.

17

Yup. I gave him the full details of what to do, and how to do it. I about the only thing I haven’t done, is demonstrate it for him, (which would be damn near impossible since his work schedule and mine rarely over-lap).

18

Yeah, the PDA is Hotsync’d with the PC; if it gets destroyed I just get a new one and Hotsync it and it’s all back again; the worst that could happen is that I forget the master password to unlock the secure PDA application, so I’ve written that down on a piece of paper and put it in a safe with a combination lock…

19

and the combination for that lock is stored on the PDA , right?

20

It sounds to me like management may be up to something fishy and want that system around for legal reasons.

Defense when caught stealing money or cooking the books:
“Well, through a security hole, everyone theoretically had access to everyone elses passwords- anyone could have performed transactions logged in as me”

Sounds pretty convenient and very half-assed. That means anyone in Human Resources, the Controller, or a Manager (who has access to your personel records) could log in as you, perform an illegal activity, and say it wasn’t them.

As a former professional geek, I smell something very fishy about that situation. No one- not even the system admin, should know your password or be able to look it up. If you forget it, they can prompt you to change it, but they should not know it. The last company I worked for had some crooked books and I intentionally made it so that I (the admin) could not access anything in the controller’s user folder or e-mail without him actually logging on to the computer- I didn’t even want the possibility of my having his password to come up in court.

Zette