News:

And we're back!

Main Menu

The Off Topic Topic

Started by Korea, March 10, 2009, 06:24:26 AM

Previous topic - Next topic

derspiess

Quote from: Grey Fox on March 01, 2013, 11:25:02 AM
Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

It's a pain, for sure.  But data security is a huge priority where I work given the nature of the data we process and it's required for certain certifications we hold, so I can't argue.  They give us an easy-to-use password management application and it's not too painful to get help resetting your password if you get locked out.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

MadImmortalMan

Quote from: Grey Fox on March 01, 2013, 11:25:02 AM

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

Yep, that's the catch-22 with password restrictions. Too strict and it actually makes security worse.
"Stability is destabilizing." --Hyman Minsky

"Complacency can be a self-denying prophecy."
"We have nothing to fear but lack of fear itself." --Larry Summers

derspiess

Quote from: MadImmortalMan on March 01, 2013, 12:05:57 PM
Quote from: Grey Fox on March 01, 2013, 11:25:02 AM

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

Yep, that's the catch-22 with password restrictions. Too strict and it actually makes security worse.

Disagree-- people can actually adapt to it once they stop whining.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

garbon

Quote from: derspiess on March 01, 2013, 12:08:08 PM
Quote from: MadImmortalMan on March 01, 2013, 12:05:57 PM
Quote from: Grey Fox on March 01, 2013, 11:25:02 AM

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

Yep, that's the catch-22 with password restrictions. Too strict and it actually makes security worse.

Disagree-- people can actually adapt to it once they stop whining.

Disagree. At my last job where we had a flurry of passwords for different systems that were often changing - most employees were often writing down their passwords or had a text file on their desktop.

For most of the systems, you could use forget password function, which is what I used most of the time. :D
"I've never been quite sure what the point of a eunuch is, if truth be told. It seems to me they're only men with the useful bits cut off."
I drank because I wanted to drown my sorrows, but now the damned things have learned to swim.

DGuller

Quote from: Neil on March 01, 2013, 11:36:35 AM
Quote from: Grey Fox on March 01, 2013, 11:25:02 AM
Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.
Yeah, overdoing it on password security is actually counterproductive.
Agreed, I've had the same thought every time I had to remember what my new password was one day after resetting it.  I'm sure everyone has a system for coming up with the new version of the password, which is a very bad thing for security.

DGuller

Quote from: derspiess on March 01, 2013, 11:21:20 AM
I guess both.  Are you saying you just change the numerical characters at the end of your password?  None of my systems (I have to log into about 8 or 9 here and I may be forgetting a couple) allow that.  You get a "password exists in user history"-type error if you try.
If your system can actually recognize that "iluvmilfs7" is close to your previous password of "iluvmilfs6", then it's comically insecure.  That most likely means that the system has an unencrypted version of your password somewhere.  Good encryption systems make encrypted versions of even extremely similar passwords look very different.

derspiess

Amateurs.  There are several password tools available where you can securely store and retrieve passwords.  No excuse for writing it down on a post-it and leaving it on your monitor.

Again, once people stop whining about it they can adjust.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

derspiess

Quote from: DGuller on March 01, 2013, 12:28:23 PM
Quote from: derspiess on March 01, 2013, 11:21:20 AM
I guess both.  Are you saying you just change the numerical characters at the end of your password?  None of my systems (I have to log into about 8 or 9 here and I may be forgetting a couple) allow that.  You get a "password exists in user history"-type error if you try.
If your system can actually recognize that "iluvmilfs7" is close to your previous password of "iluvmilfs6", then it's comically insecure.  That most likely means that the system has an unencrypted version of your password somewhere.  Good encryption systems make encrypted versions of even extremely similar passwords look very different.

Incorrect.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

DGuller

Quote from: derspiess on March 01, 2013, 12:29:34 PM
Amateurs.  There are several password tools available where you can securely store and retrieve passwords.  No excuse for writing it down on a post-it and leaving it on your monitor.

Again, once people stop whining about it they can adjust.
My workplace had that system for many years.  Of course I've adjusted, but not in ways that enhances the company's security.  I would imagine that my passwords are easy to guess, even with the special characters, because I have to be able to remember the new version of them every month.  If I didn't have to change the password constantly, I could use some ungodly mess of special characters that would be much more difficult to crack.

DGuller

Quote from: derspiess on March 01, 2013, 12:30:11 PM
Quote from: DGuller on March 01, 2013, 12:28:23 PM
Quote from: derspiess on March 01, 2013, 11:21:20 AM
I guess both.  Are you saying you just change the numerical characters at the end of your password?  None of my systems (I have to log into about 8 or 9 here and I may be forgetting a couple) allow that.  You get a "password exists in user history"-type error if you try.
If your system can actually recognize that "iluvmilfs7" is close to your previous password of "iluvmilfs6", then it's comically insecure.  That most likely means that the system has an unencrypted version of your password somewhere.  Good encryption systems make encrypted versions of even extremely similar passwords look very different.

Incorrect.
Which part?

Grey Fox

Quote from: derspiess on March 01, 2013, 11:58:42 AM
Quote from: Grey Fox on March 01, 2013, 11:25:02 AM
Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

It's a pain, for sure.  But data security is a huge priority where I work given the nature of the data we process and it's required for certain certifications we hold, so I can't argue.  They give us an easy-to-use password management application and it's not too painful to get help resetting your password if you get locked out.

Half my work is under ITAR. What do you think security is like?
Colonel Caliga is Awesome.

Ed Anger

Shitty. Like at most places.
Stay Alive...Let the Man Drive

derspiess

Quote from: DGuller on March 01, 2013, 12:35:45 PM
Quote from: derspiess on March 01, 2013, 12:30:11 PM
Quote from: DGuller on March 01, 2013, 12:28:23 PM
Quote from: derspiess on March 01, 2013, 11:21:20 AM
I guess both.  Are you saying you just change the numerical characters at the end of your password?  None of my systems (I have to log into about 8 or 9 here and I may be forgetting a couple) allow that.  You get a "password exists in user history"-type error if you try.
If your system can actually recognize that "iluvmilfs7" is close to your previous password of "iluvmilfs6", then it's comically insecure.  That most likely means that the system has an unencrypted version of your password somewhere.  Good encryption systems make encrypted versions of even extremely similar passwords look very different.

Incorrect.
Which part?

That it's likely storing passwords unencrypted if it's able to compare.  No way we'd pass the multiple audits we endure if that were the case.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

Grey Fox

Quote from: derspiess on March 01, 2013, 12:29:34 PM
Amateurs.  There are several password tools available where you can securely store and retrieve passwords.  No excuse for writing it down on a post-it and leaving it on your monitor.

Again, once people stop whining about it they can adjust.

That's barely any better than writing it down on a post-it affix to your monitor. One more database for the Chinese to hack.
Colonel Caliga is Awesome.

Ed Anger

I keep my password list up my rectum. Hack that China.
Stay Alive...Let the Man Drive