Skeeedunt
Platinum Member
- Oct 7, 2005
- 2,777
- 3
- 76
I never really understood the point of it. I mean, if a password is compromised, won't an attacker use it within a few days anyway? Probably more like a few minutes in most cases.
I remember reading somewhere that the origin of the 30 day reset was something along the lines of "We tested how long our mainframe took to crack a passwd file, and it was about 30 days to get the root password, so everyone should change their passwords every 30 days just in case the passwd file gets compromised at some point." (This was back in the 80's I think.)
I have no idea if it's true, and I can't find the original article, but it sounds plausible enough. Either way, I'm just not buying the idea that the huge hassle is worth the modest theoretical increase in security (this thread seems to evidence that pretty well).
That's not to say I'm against enforcing decent password requirements (upper/lower case + special character + number etc) and at least modest password segregation (same base password with a different random character at the end for different systems, just so it's not dead easy to gain access to all accounts at the same time, totally different ones for serious admin accounts etc etc).
If anyone wants to convince me otherwise, I'd like to hear it.
Anyway /mini rant
I remember reading somewhere that the origin of the 30 day reset was something along the lines of "We tested how long our mainframe took to crack a passwd file, and it was about 30 days to get the root password, so everyone should change their passwords every 30 days just in case the passwd file gets compromised at some point." (This was back in the 80's I think.)
I have no idea if it's true, and I can't find the original article, but it sounds plausible enough. Either way, I'm just not buying the idea that the huge hassle is worth the modest theoretical increase in security (this thread seems to evidence that pretty well).
That's not to say I'm against enforcing decent password requirements (upper/lower case + special character + number etc) and at least modest password segregation (same base password with a different random character at the end for different systems, just so it's not dead easy to gain access to all accounts at the same time, totally different ones for serious admin accounts etc etc).
If anyone wants to convince me otherwise, I'd like to hear it.
Anyway /mini rant
alkemyst
No Lifer
- Feb 13, 2001
- 83,769
- 19
- 81
If the admin puts a pattern filter on it, those scheme don't work.
The problem I have is like others mentioned...requiring crazy passwords and constant changes gets people to write them down. I could probably visit any 5 cubes and find a password that will get me in to a privledged system in at least one.
If they really want security require long passwords and don't make them change more than 1-2x a year or except when someone suspects a compromise.
Once your password is over 12 or so characters and not a dictionary word, they are pretty hard to beat.
Doing things like rumpl3st1ltsk1n and the like are beat as easy as rumplestiltskin today.
In a nutshell you have to look at what if a password is compromised. If it is, then trailing characters are easy to brute force.
Your late 80s reference is very valid. A worm got all of them, it was a big pain.
Me? I use two words, with a capital on each word and a 2 byte combination between them. I rotate the 2 byte combo. Then I store them in an excel file.
not only is it super annoying, it also results in me having lame passwords.
if I'm using one password for a long time, I'll make it pretty secure... when I'm changing my password every other month, I set it to something like password123 because otherwise I'll forget it.
if I'm using one password for a long time, I'll make it pretty secure... when I'm changing my password every other month, I set it to something like password123 because otherwise I'll forget it.
daniel1113
Diamond Member
- Jun 6, 2003
- 6,448
- 0
- 0
I work for a large software company, and we have 1 password for EVERYTHING that we have to change every 3 months.
DrPizza
Administrator Elite Member Goat Whisperer
I have a few passwords that I use for a lot of generic things at work. The other day, one of the tech guys came up to me and said, "wow, you have a really good password. I was looking and a lot of people have passwords that would be easy to guess. Yours is really secure." To which I responded, "uhhhhhhhhhhhhhhhhh :Q if you can see the password, then anyone who hacks through to where you were can see the password. And, an unencrypted password somewhere really screws me - what if one of the high school tech students that gets hired over the summer sees the passwords... and what if, like many people, some of the staff use the same passwords here as they do for, ohhh, their credit card company, their checking account online, etc."
*sigh* At least I don't have to change my password ever. The tech guys would quickly give up on that since they'd get inundated with requests to "show me how to change my password again, please."
*sigh* At least I don't have to change my password ever. The tech guys would quickly give up on that since they'd get inundated with requests to "show me how to change my password again, please."
yea whats the point of a password then. Here even teh system admins don't see ours and are not allowed to ask.
In fact they do test where they will call people and say "this is the system admin we have a problem whats your password...". Quite a few people fall for that. needless to say they had to be "taught" again why not to do that.
<-- works for the man, federal man...
I think our passwords are reset about every 45 days. I do have to use a RSA SecurID thing for one of my apps, it changes the 6 digit pin every 60 secs. I like that more then having to use "normal" passwords.
I have a bunch like that too. I just do the increment the number at the end by 1. The most frequently changed one I'm up to password30 now. Woo! I look forward to starting a new job someday, I can start back at 1 again, lol.
GTaudiophile
Lifer
- Oct 24, 2000
- 29,767
- 33
- 81
rivan
Diamond Member
- Jul 8, 2003
- 9,677
- 3
- 81
We've got a few logins - 4 I can think of. Two of them have syntax requirements that make you unable to choose the same passwords for them (one MUST start with a number, the other MUST NOT start with a number). They all reset on different intervals, so when I started I thought I'd be fine with two passwords, but after the first reset, I got all out of synch with them and since then I've given up trying to keep em straight.
I have 3 of the 4 written down at my desk.
I have 3 of the 4 written down at my desk.
Definitely an annoyance, but I also understand it. I actually force change my passwords so they all stay synchronised. I wouldn't want anyone logging into our database under my credentials and destroying all the hard work we've done. Nor would I want anyone doing something simple like logging into my workstation and loading up 20 different instances goat.cx...
Raduque
Lifer
- Aug 22, 2004
- 13,140
- 138
- 106
This is what I do. Our billing system app has (well used to, we're standardizing to a single login) 6 logins. One for the main app, and one for each billing area you need access to. That one changes every 30-45 days or so. I usually increment my password by 1 letter. If you can figure out my first 6-char string of numbers, have fun brute forcing each letter in the alphabet 26 times
I have to change my passwords every 6 months BUT I can only use a password once every 10 changes :|
Strong Pw's here, 30 or 45 days, and non-repeating ever, sad thing is of the 10 different things I log into the rules for where symbols and numbers aren't the same so I can't even make them all the same and rotate them all at once.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 384
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
Facebook
Twitter