How do you get people to start using complex password?

[FoBoT]

monkey muppet said the same thing, just much better. i.e. there probably isn't an answer to your question. at least not the "magic bullet" answer you are looking for. the users will either get it or not and if they don't and your reset process is such that you or some IT guy has to be involved, then you are stuck.

can you do a self service password reset? like with a hint question/passphrase to allow them to reset there own password? if not, then you are pretty much locked into the monkey muppet scenario.


good luck, i didn't mean to be so flippant, but maybe responses in the networking forum would be more pertinent

 

[Phoenix86]

Originally posted by: NikYou'll also want a default HDD image for all the boxes that includes all the software necessary for everyone's job.

That's bad advice because of licensing or $. Either you have to license every install for every piece of software (lots of wasted $), or you are violating copyrights (hello BSA).

Having the BSA in your business SUCKS, let me tell you...

 

[cquark]

Originally posted by: GagHalfrunt
Pretty simple method: Negative Reinforcement

Everyone is forced to use a random alphanumeric PW and everyone is fined $xxx whenever they forget it and IT has to bail them out. If people can remember phone numbers and email adresses they can remember passwords. You just need to give them an incentive to remember. A nice hefty fine for being a dimwit is plenty of incentive.

The Israeli army sent one of their officers to military prison for 2 weeks for having his laptop with secret documents stolen, as he left out on his desk and not in the safe it was supposed to be in while he was away on field exercises.

 

[Haps]

People always bitch about it here too and I would tell them it's not too ahrd to think of one and use it if you use a sentence. The example I usually use is "My 2 kids names are John and Sally" = M2knaJaS

That usually works for most of them.

 

[cquark]

Originally posted by: Joemonkey
I know how to implement everything I need to do My question was more of a "how do I do it in a way that the lazy bastards won't be calling me every day to reset their complex password" I assumed people here have gone through this. silverpig obviously read it correctly, as well as spidey07, Czar, Monkey muppet, and very few others

You can't eliminate the need for users to reset forgotten passwords. It's insecure to automate the process the way web servers do, as that allows an attacker to effectively force your authentication system to fall back to an easier system to break. Your mother's maiden name is not a secret, and favorite color and such are trivial to guess.

Complexity rules require 3 out of 4 items. These items are Uppercase, Lowercase, Numbers, Symbols and I CANNOT change this, it is part of Windows. There is no way I can just make it be upper and lower, or numbers and lower, etc.

There are third party password policy tools that will let you do that.


However, I think the time for complex password rules was 10 years ago. Computers have gotten faster at password guessing, while humans haven't improved their abilities to remember passwords. The time period when reusable passwords were potentially secure is over. I recommend one-time passwords or two-factor authentication schemes.

 

[Munky]

Originally posted by: deathkoba
Just print it on a piece of paper and tape it to their monitor. Simple as that. Or get Macs in the office as they're far more superior when it comes to security.

LOL

 

[Munky]

Originally posted by: Czar
so people know, complex passwords does not mean its automaticly generated gibberish

in windows you have 4 groups like he says
letters
capital letters
numbers
symbols

when using complex password any password used must use 3 of the 4 groups above

Yeah, that's how it's set up at my work, and I don't see a problem with that

 

[Jzero]

Originally posted by: cquark
However, I think the time for complex password rules was 10 years ago. Computers have gotten faster at password guessing, while humans haven't improved their abilities to remember passwords. The time period when reusable passwords were potentially secure is over. I recommend one-time passwords or two-factor authentication schemes.

The thing with security is that there is no magic bullet and no impervious system. You have to implement mechanisms based on risk, cost and feasibility.

In a perfect world, everyone would have two-factor or perhaps biometrics. But in the real world, these solutions are expensive to implement, especially when you consider that, for instance, for someone running an Active Directory domain, other measures come at no additional cost. For many enterprises, they are also overkill as sufficiently complex passwords coupled with locking accounts out after a few attempts and regular changes will foil the majority attacks. Some enterprises will have either the budget or the potential risk to justify better measures, but for a lot of us it's just not feasible so we have to fall back to the next best thing.

 

[cquark]

Originally posted by: Jzero

Originally posted by: cquark
However, I think the time for complex password rules was 10 years ago. Computers have gotten faster at password guessing, while humans haven't improved their abilities to remember passwords. The time period when reusable passwords were potentially secure is over. I recommend one-time passwords or two-factor authentication schemes.

The thing with security is that there is no magic bullet and no impervious system. You have to implement mechanisms based on risk, cost and feasibility.

I agree, but you have to estimate your risks correctly and people are underestimating the risk of passwords. The risk is higher than most people suspect it is, especially with the rise of password-guessing worms over the last 12 months.

The cost of alternatives to reusable passwords is cheaper than most people suspect, as there are open source one-time password systems and commonly deployed systems like ssh support key authentication in place of passwords, though the majority of people still use reusable passwords. Two-factor authentication is relatively costly, but banks are starting to move toward it, so I suspect the costs will go down due to economies of scale.

 

[FoBoT]

Originally posted by: cquark
as there are open source one-time password systems

got link?

 

[CVSiN]

Originally posted by: Joemonkey
I work at a law firm and currently we don't have any requirements for passwords. Also, people get up from their PC and leave for hours at a time without locking their desktop. I voiced my opinion about how much of a security risk that is and gave them examples of what people could do if they felt like being malicious.

Now, after a mangement meeting, they want me to turn on complexity rules. This is fine, but the people in this office are barely computer literate, and I don't think they will be able to remember a 8 character string with upper, lower, numbers, and symbols in it.

We're thinking about getting RSA ID devices for a few of the people who can't be bothered to remember such a password, but if they are using a PDA to sync their emails, they will have to type it in every time.

How do you guys do it?

We dont give them a choice... Complex passwords at Oxy are mandatory
you got it easy...
Most of us at Oxy Oil have to remeber 10+ DIFFERENT complex passwords... thats the average user... dont even get me started on how many I have as an Admin =/

 

[Miramonti]

Tell them to take their current password, which is probably their daughters name, their zip code, or their pets name, and add a 1 to the end of it.

 

[spidey07]

While we're on the topic we're seeing the classic "easy to use or secure - pick one and only one"

Its a pendulum that swings from easy to use to secure - the more secure the harder it is to use and frequently is more administratively complex.

 

[cquark]

Originally posted by: FoBoT

Originally posted by: cquark
as there are open source one-time password systems

got link?

There are a variety of free S/Key implementations. Here's one for the PAM libraries common to most Linux and Solaris systems.
http://freshmeat.net/projects/pam_skey/

 

[BurnItDwn]

If I only had to remember one 8 digit password I would be in Heaven.

I currently have accounts and passwords on over 50 different boxes at work.
Thankfully, the "guardian" client has been pretty good about keeping most of my unix passwords synched up, however, I need to access about 15 different accounts on the various different boxes, as well as my own personal account across the non unix, non synched systems ... mainfraimes, workstations, novell, etc ...

just so much crap to remember. Ohh well .. I guess it's good for my memmory at least.

 

[Mo0o]

I know this has been mentioned but i could'nt find an answer but what about a fingerprint scanner for the more high risk computers and just give everyone else limited access?

 

[EyeMWing]

Originally posted by: Mo0o
I know this has been mentioned but i could'nt find an answer but what about a fingerprint scanner for the more high risk computers and just give everyone else limited access?

Because any halfwit kid can use a fingerprint scanner.

 

[DeeKnow]

Originally posted by: deathkoba
Just print it on a piece of paper and tape it to their monitor. Simple as that. Or get Macs in the office as they're far more superior when it comes to security.

right on doc.....

Macs don't do shite for careless users... where do people pick up crap like this ??

 

[Mathlete]

Start by having them take their current password (easl to remember) and make some of the following substitutions.

a = @
A = 4
i = ! = 1
e = 3
s = 5
l = ! = 1

and so on

this can be easy to remember and makes the password more complex

 

[Spencer278]

I would like to put in a vote for not letting people get a hold of the password file. I don't know why the fools in IT expect me to cover your ass by having a stupidly long password to make up for your cracked server.

 

[Kelemvor]

Normally here they just tell people to pick two words and stick a number in between and capitalize the first letter (of each word or just the first doesn't matter). Then their password can be incremented byt just upping the number any time they have to change it.

Work23Boat
Work24Boat
etc.

They can pick the words so it should be easy to remember.

 

[shortylickens]

+ NEW ISSUE +

First off, let me say that I am a geek, not an IT.
So I dont always understand what its like to have to deal with customers on IT issues.
An issue I am having a difficult time understanding is going on right now at work.

We are required to use 10 charecter passwords with at least one each of upper, lower, number and special charecter.
ALL accounts lock out after 3 failed attempts.
Every month we get an email stating the IT department was able to crack about 20% of employee passwords. Then EVERYBODY has to go through and change their passwords again. This has been going on for 4 months now.

What I would like to know is how in the FVCK they can crack so many with random generators when accounts are SUPPOSED to be locked out after 3 tries?!?

I never did the math but it seems to me that with a minimum of 10 digits and about 60 charecters to choose from, you get an awful lot more than 3 combinations. On average they claim to have hacked about 1/5 of our accounts each month somehow.
Is there some trick to hacking I am not aware of?
And if so, wouldnt it make more sense to address that issue instead of changing everyones PW each month?

 

[NogginBoink]

http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx

Robert Hensing's blog entry on passphrases