Originally posted by: Joemonkey
Originally posted by: Monkey muppet
edited to account for JoeKings post before mine
Joemonkey's you mean
I think there's too many Js, monkeys, and joes in this thread.
Sounds like, a similar thing I'm thinking - For password resets how do we know they are who they say they are (yet another code, password, passkey for them to forget?)
I think you are approaching this the wrong way. Why not use their existing, easy to remember password, and modify it. This works well for me.
For example, if my favorite password is scrapdog, then give me a choice telling me that at least one letter has to be upper case, at least one letter has to be lower case, and then somewhere I have to have either my favorite number or my favorite symbol.
If my favorite number is 1024, I could have a password like Scrap1024Dog, or Scrapdog1024, or 10ScrapdoG24.
If my favorite symbol is the #, then I could have #ScrapdoG#, scrap#Dog etc.
This is not the greatest, but it meets the requirements of complexity and it's much easier for them to remember a modification of an existing favorite password than something entirely new and that makes no sense to them.
For example, if my favorite password is scrapdog, then give me a choice telling me that at least one letter has to be upper case, at least one letter has to be lower case, and then somewhere I have to have either my favorite number or my favorite symbol.
If my favorite number is 1024, I could have a password like Scrap1024Dog, or Scrapdog1024, or 10ScrapdoG24.
If my favorite symbol is the #, then I could have #ScrapdoG#, scrap#Dog etc.
This is not the greatest, but it meets the requirements of complexity and it's much easier for them to remember a modification of an existing favorite password than something entirely new and that makes no sense to them.
Normally there is a challenge/response kind of dialogue like "last for digits of social, month of birthday, etc"
That's enough to keep auditors happy and provides simple one factor authentication.
- Mar 3, 2001
- 8,859
- 4
- 0
That would be ok i suppose, but I'm not sure how many old passwords we are going to have it set to remember either. If we have it set to remember the last 60 passwords, this would not work. Aslo remember, this is to increase security, randomness makes things more secure.
Haven't read many of the replies, but what you need to do is to turn on screensavers after about 5-10 minutes that require passwords on exit from the screensaver. That will stop the problem with them walking away, I think.
Additionally, you can give them suggestions on complex passwords in a printed note (so no "hackers' learn to try these examples"). You can give examples like... your college and the year you graduated... (UCLA1976), the year you were married and the name of your spouse (1980laura) or get even more complex and say your favorite car (2000bmwz3) or even snippets of their address (beverlyhills90210 or 1393rodeodrive)
The idea here is to realize that your employers want something to happen, and it's your job to make it happen. It's not your job to aid people in helping them break/bend policy and be lazy.
Additionally, you can give them suggestions on complex passwords in a printed note (so no "hackers' learn to try these examples"). You can give examples like... your college and the year you graduated... (UCLA1976), the year you were married and the name of your spouse (1980laura) or get even more complex and say your favorite car (2000bmwz3) or even snippets of their address (beverlyhills90210 or 1393rodeodrive)
The idea here is to realize that your employers want something to happen, and it's your job to make it happen. It's not your job to aid people in helping them break/bend policy and be lazy.
this is way too much
if you are going to use complex passwords than require only letters and numbers. If you start having people try to remember an 8 character password with letters, numbers, different cases and special symbols then they will simply write it on a piece of paper and tape it under their keyboard.
My last job they used to change passwords every 6 months and it was a completely random password that no human being could possibly remember because the people had to remember 3 crazy complex passwords there.
I use complex passwords that are numerical designations of different army units that I have been in. there is no dictionary attack that can possible crack them and they are easy to remember. For admin passwords we use NYC street names with numbers in them. Easy to remember after a few days of typing them in.
another thing you can do is set up a 5 minute lock out for 3 bad login attempts. Easiest way to defeat a brute force attack.
GagHalfrunt
Lifer
- Apr 19, 2001
- 25,284
- 1,998
- 126
Pretty simple method: Negative Reinforcement
Everyone is forced to use a random alphanumeric PW and everyone is fined $xxx whenever they forget it and IT has to bail them out. If people can remember phone numbers and email adresses they can remember passwords. You just need to give them an incentive to remember. A nice hefty fine for being a dimwit is plenty of incentive.
Everyone is forced to use a random alphanumeric PW and everyone is fined $xxx whenever they forget it and IT has to bail them out. If people can remember phone numbers and email adresses they can remember passwords. You just need to give them an incentive to remember. A nice hefty fine for being a dimwit is plenty of incentive.
get upper management approval to make it company policy
then give user awareness training on general information security (including the use of complex passwords)
make sure to convey that security is everyone's responsibility
then post security awareness notices around the office
if all else fails, get a pentest done and make a company wide example of the weakest link (weakest password that lead to compromise)
then give user awareness training on general information security (including the use of complex passwords)
make sure to convey that security is everyone's responsibility
then post security awareness notices around the office
if all else fails, get a pentest done and make a company wide example of the weakest link (weakest password that lead to compromise)
yllus
Elite Member & Lifer
- Aug 20, 2000
- 20,577
- 432
- 126
If you want an easy-to-remember password per user that's completely random, it's time to buy a bunch of dice for the company.
http://www.diceware.com/
http://www.diceware.com/
This is absurd to be honest. Now maybe I've always taken security a bit more serious than most, but I remember several dozen complex passwords that I use on a daily basis just fine. Most of them are 14 characters long and contain every type of character you can use on a QWERTY keyboard. I've found though that I cannot remember it until I enter it several times first, but after that it's easy. I can't believe there are so many people coming in here stating that their organization doesn't do these simple things. I assumed that strong passwords were the defacto standard across nearly all organizations today, especially those that deal with important data (law firms, financial firms, etc.). This is extremely troubling to me to be honest. I guess I really, REALLY need to get off my ass, get some certifications done and start doing consulting on stuff like this because there's obviously a huge market out there for the taking.
As to my answer, the $50 bill recommendation was spot on. You have to get them to understand the ramifications of NOT protecting the data and you have to do it in a shocking and very realistic manner. You may even have to make some people very angry to prove the point, but I would think in a law firm that they would at least understand the importance of privacy, which privacy is one of the cornerstones of security. With the advent of Sarbanes-Oxley, the controls that businesses must place on their data is immense and I would think that a law firm of all places would have some insight into that governance.
I also have to question your insistence on telling management something needs to be done without having a plan to lay out to them. Bad stuff to do, especially in a larger, more structured organization. Always, always, always, go in with a plan, even if it's rudimentary and simple, as long as it gives them the full spectrum of what you're wanting to see and what's going to be affected.
In short, you'll simply have to implement and monitor your users to ensure that they are NOT placing their passwords in locations that are easily accessible. A morning walk-through of their work areas before they get into work may be in order. Collect up any of them that you find and report the management as necessary. Make liberal use of e-mail communications to provide them with acceptable methods of password control. Simply put, if they don't want to remember something as simple as 8 random characters, they must not care much for their job or their clients and it's really that simple. That has to be made clear also, that the passwords are not for them, but for the business and their clients, because ultimately that's what the passwords are for.
As to my answer, the $50 bill recommendation was spot on. You have to get them to understand the ramifications of NOT protecting the data and you have to do it in a shocking and very realistic manner. You may even have to make some people very angry to prove the point, but I would think in a law firm that they would at least understand the importance of privacy, which privacy is one of the cornerstones of security. With the advent of Sarbanes-Oxley, the controls that businesses must place on their data is immense and I would think that a law firm of all places would have some insight into that governance.
I also have to question your insistence on telling management something needs to be done without having a plan to lay out to them. Bad stuff to do, especially in a larger, more structured organization. Always, always, always, go in with a plan, even if it's rudimentary and simple, as long as it gives them the full spectrum of what you're wanting to see and what's going to be affected.
In short, you'll simply have to implement and monitor your users to ensure that they are NOT placing their passwords in locations that are easily accessible. A morning walk-through of their work areas before they get into work may be in order. Collect up any of them that you find and report the management as necessary. Make liberal use of e-mail communications to provide them with acceptable methods of password control. Simply put, if they don't want to remember something as simple as 8 random characters, they must not care much for their job or their clients and it's really that simple. That has to be made clear also, that the passwords are not for them, but for the business and their clients, because ultimately that's what the passwords are for.
- Mar 3, 2001
- 8,859
- 4
- 0
OK, this thread has gone to hell from people either misreading my post and/or not reading any replies. Let me put it this way:
I know how to implement everything I need to do My question was more of a "how do I do it in a way that the lazy bastards won't be calling me every day to reset their complex password" I assumed people here have gone through this. silverpig obviously read it correctly, as well as spidey07, Czar, Monkey muppet, and very few others
Biometrics are not an option due to Citrix connections from all over the place and PDAs synching to our Exchange server
Complexity rules require 3 out of 4 items. These items are Uppercase, Lowercase, Numbers, Symbols and I CANNOT change this, it is part of Windows. There is no way I can just make it be upper and lower, or numbers and lower, etc.
Its like I asked how long to put a grilled cheese on each side and people are telling me what kind of stove to get and where to buy the bread from...
I know how to implement everything I need to do My question was more of a "how do I do it in a way that the lazy bastards won't be calling me every day to reset their complex password" I assumed people here have gone through this. silverpig obviously read it correctly, as well as spidey07, Czar, Monkey muppet, and very few others
Biometrics are not an option due to Citrix connections from all over the place and PDAs synching to our Exchange server
Complexity rules require 3 out of 4 items. These items are Uppercase, Lowercase, Numbers, Symbols and I CANNOT change this, it is part of Windows. There is no way I can just make it be upper and lower, or numbers and lower, etc.
Its like I asked how long to put a grilled cheese on each side and people are telling me what kind of stove to get and where to buy the bread from...
Question for Joemonkey:
You want to roll out a complex password to increase security, but don't want the extra phone calls asking for PW resets??
I know I've not been that helpfull, sacastic comments with a few humurous links: The problem you are going to face is not a nice one. More 'IT' to learn = more phone calls
end users really do not give two hoots about network security. If this were me I would give lots of notice that security is going to be tightened, take the oppertunity (since you have management support) to make security a mini project. Start little siminars, meetings, give examples. Play your cards right and get yourself a little helpdesk monkey during the rollout period and keep them on for a month after the roll out to take the initial extra calls. Make it known that you don't take sh1t from people forgetting thier password. What is your network security policy - does it contain dissaplinary actions??
Setup a call logging system (if one isn't already being used), a bit of trend analysis, violla: a list of the top five offenders. hmmm.....I wonder who would want this???
Users are lazy - FACT!!
Net Administrators are lazy - FACT!!
(in case this offends anyone, I'm basing this on what I've been taught. "What makes a good Net Admin is the ability to increase your deck chair time" In other words, set everything up correctly so nothin interuptss your 9-5 to catch up on your sleep time.)
Going off your question slighlty: I have recently been involved in somthing similar. Number one priority is to make your presence known and to inform the users what can happen if they don't play by your rules. Make it know that you are always there and watching. It's very suprising what a huge difference to the reduction calls a few simple steps do:
Logon scripts with a security warning; "do not give your password out to anyone, etc, etc"
Auto reply emails to "tech support" mailbox: "thankyou, I have received your email, I'll contact you shortly, message of the day: xxx x xxxxx x x "
Remote Citrix users, notice of the days: "listen to me.....hahaahaha!!!!"
Setup a little intranet page: "I'm watching you...don't f'ing remember security, or I'll own your soul"
You want to roll out a complex password to increase security, but don't want the extra phone calls asking for PW resets??
I know I've not been that helpfull, sacastic comments with a few humurous links: The problem you are going to face is not a nice one. More 'IT' to learn = more phone calls
end users really do not give two hoots about network security. If this were me I would give lots of notice that security is going to be tightened, take the oppertunity (since you have management support) to make security a mini project. Start little siminars, meetings, give examples. Play your cards right and get yourself a little helpdesk monkey during the rollout period and keep them on for a month after the roll out to take the initial extra calls. Make it known that you don't take sh1t from people forgetting thier password. What is your network security policy - does it contain dissaplinary actions??
Setup a call logging system (if one isn't already being used), a bit of trend analysis, violla: a list of the top five offenders. hmmm.....I wonder who would want this???
Users are lazy - FACT!!
Net Administrators are lazy - FACT!!
(in case this offends anyone, I'm basing this on what I've been taught. "What makes a good Net Admin is the ability to increase your deck chair time" In other words, set everything up correctly so nothin interuptss your 9-5 to catch up on your sleep time.)
Going off your question slighlty: I have recently been involved in somthing similar. Number one priority is to make your presence known and to inform the users what can happen if they don't play by your rules. Make it know that you are always there and watching. It's very suprising what a huge difference to the reduction calls a few simple steps do:
Logon scripts with a security warning; "do not give your password out to anyone, etc, etc"
Auto reply emails to "tech support" mailbox: "thankyou, I have received your email, I'll contact you shortly, message of the day: xxx x xxxxx x x "
Remote Citrix users, notice of the days: "listen to me.....hahaahaha!!!!"
Setup a little intranet page: "I'm watching you...don't f'ing remember security, or I'll own your soul"
The only true way to force folks to use secure passwords is to change the system so that the system they're logging into requires them. You'll also want a default HDD image for all the boxes that includes all the software necessary for everyone's job. Then you set different user right levels and assign different programs to those user levels. Then you create individual users for everybody there and assign them to the appropriate user levels. Then deploy the images to all the systems. In the image, you specify that a system will lock itself if not touched for X-number of minutes and make sure that nobody but the administrator has rights to change that on any of the systems.
It's just a start, but it'll get you one step closer to a secure place of business.
It's just a start, but it'll get you one step closer to a secure place of business.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 407
-
Facebook
Twitter