I can't stand these moronic password rules

[kranky]

Yeah, it's been discussed, I don't care. I have had it with the needlessly overdone rules for creating passwords.

Given: a strong password is reasonably secure within the firewall.
Given: if nobody outside the firewall can even access the application, the potential for brute force password guessing is a lot smaller.
Given: disabling access after too small a number of wrong entries only drives up help desk workloads.
Given: An strong, unguessable password that uses digits and special characters does not need to be changed. (OK, this is debatable)

So to the people who determine the password rules, can't you see that OVERCOMPLICATED RULES ONLY WEAKEN SECURITY!

The PC logins require 8+ characters, at least one digit, at least one special character, cannot reuse any of the last 24 passwords, good for 3 months. 3 wrong tries, you're locked out until you get IT involved.

Main corp application requires EXACTLY 8 characters with EXACTLY 1 digit and NO special characters, cannot reuse any of the last 24 passwords, good for 6 months. 3 wrong tries, you're locked out for an hour.

Just let me create a password strong enough to satisfy your overinflated sense of paranoia, please. Make the rules as complicated as you want. But then I should not need to change it, ever. Nobody will ever guess it. Nobody WANTS to guess it. Only people behind the firewall can even get to the applications anyway. They have their own access, why would they try to use mine?

Allow 10 wrong tries before disabling access. It could be 20, it won't hurt security any. Just log that there were an excessive number of wrong tries and where they originated.

And I'd love to hear the argument for how not allowing reuse of old passwords does a single thing to improve security.

You don't support single sign-on, you make people change their passwords too frequently, you make the rules too complicated, and what you get is people writing down their passwords. You ought to realize that's a symptom of a problem right there. Your wonderfully complex password scheme flushed down the toilet because practically every keyboard has a sticky note on the bottom with the written-down passwords.

 

[rivan]

I'd like to subscribe to your newsletter.

 

[Kelvrick]

Reference it against the employee file and eliminate any string of 3 characters that coincide with the employee's name, birthday, social, phone number, house address, work address and that same information for anyone else's information that you may have regarding that employee (family, emergency contact, pet chinchilla, etc), the word "password" or numbers/letters that increase incrementally or any previous password in history.

Then say it isn't strong enough if anything hits.

 

[Blackjack200]

I use a master password that has a trailing integer that I increment by 1 every time I'm forced to change passwords. They haven't figured out how to prevent that yet.

But I agree, if someone steals your password from a keylogger or something, it won't matter that you're going to have to change it in two weeks.

 

[KMFJD]

I found a picture of the OP

 

[NetWareHead]

The reason for these "moronic" rules is because Sys Admins get the blame when "moronic" users are actually responsible for security breaches due to lax handling of passwords.

Security breaches and lapses in password security are going to occur anyway with loose or tight password policies.

At least with tight policies, the admin is seen as being proactive and when shit hits the fan, the user will get blamed for causing the security breach and the admin's ass is saved.

 

[rivan]

I use a master password that has a trailing integer that I increment by 1 every time I'm forced to change passwords. They haven't figured out how to prevent that yet.

Our IT department did. These days, I make patterns on the keyboard - think QwErTy5, but with more zigs and zags, rather than a mostly straight line.

Past passwords:

Zxsaqw21
Q2w3e4r5
P0o9i8u7

 

[Gibson486]

Yeah, I do not understand why my company is huge on this. We do engineering for water and wastewater. If someone wanted to steal the plans, they would just have to wait till we go out to bid, then the plans become public.....

 

[Texashiker]

Unless the server has an account lock down feature, strong password rules are mostly a waste of time. There has been article after article posted after the Gawker hack that shows that brute force programs can hack a complicated password in a matter of seconds.

Strong password - important
Account lockdown after X number of bad tries - more important

Making sure your computer is free of keyloggers or trojans - priceless

 

[DaWhim]

that's why I use password like Abcd1324 for my work. it expires every 60 days or so. i will just change it to 1321. it is stupid policy. I know my coworkers just write down the password somewhere.

 

[GagHalfrunt]

that's why I use password like Abcd1324 for my work. it expires every 60 days or so. i will just change it to 1321. it is stupid policy. I know my coworkers just write down the password somewhere.

Which is what makes arcane password rules counter-productive. Anything that forces a user to write it down to remember it is far more vulnerable to being found out.

 

[PingSpike]

I'm taking that increment by 1 tip. I just can't think up different leet speak bullshit for a password every 60 days...that I will remember tomorrow. I've run out of all my go to ones so I've started too...write them down which defeats the whole purpose.

 

[edro]

I'd like to subscribe to your newsletter.

me too!

 

[Saint Nick]

My passwords are typically foods.

"pickles"
"yogurt"
"pancakes"
"bananas"
"bagels"

etc. etc.

 

[trmiv]

I'm a sys admin and I have to say that you are completely and totally.....................























correct. A certain level of password security is definitely needed, but it has to be reasonable. The more strict the rules are the more you find people writing their passwords down on slips of paper on their desk, keyboard, monitor, etc. I came from desktop support before I was a sys admin and it was unreal the amount of people I assisted who had their passwords plastered on their desk.

 

[911paramedic]

Our IT department did. These days, I make patterns on the keyboard - think QwErTy5, but with more zigs and zags, rather than a mostly straight line.

Past passwords:

Zxsaqw21
Q2w3e4r5
P0o9i8u7

Who else looked at their keyboard? Come on, fess up. :sneaky:

 

[dabuddha]

Password rules tend to be stupid. At my workplace, people are now writing down their passwords because there are too many to memorize and they all have different rules.

 

[Terzo]

OP, I agree with you so much. I also hate that it seems like *everything* requires an account and password. I wont order online unless it's from Amazon, it lets me check out as a guest, or it lets me use google checkout. Oh, Newegg too. Besides those, I'll be damned if I'm going to add another username and password to the mix.

I was actually really annoyed when I ordered my safety razor from Lee's razors last year. I made a phone order so I wouldn't have to deal with an account...and then in my email confirmation I was notified that my account had been created, giving me a user name and generic password. Not like it matters since I highly doubt I'll ever order from there again, but it still seemed stupid.

Our IT department did. These days, I make patterns on the keyboard - think QwErTy5, but with more zigs and zags, rather than a mostly straight line.

Past passwords:

Zxsaqw21
Q2w3e4r5
P0o9i8u7

That's a really great idea. I'm going to use it next time I have to make some ludicrous password.

 

[mb]

I hate them too and I have to have a different password for so many things. Some expire after 90 days and some every 30 (!!!!) days. It's gotten to the point that I write them down on sticky notes now.

 

[Skitzer]

Password rules tend to be stupid. At my workplace, people are now writing down their passwords because there are too many to memorize and they all have different rules.

I have all of mine written down on a slip of paper in the left hand drawer of my desk. I have 4 passwords that I need to remember and they change every quarter. All must be eight characters and must contain one numeric and one Capital letter. Such a PITA and just as I get them memorized it's time to change them again.
Sorry for the whiney rant but like the OP I find it stupid and not needed.

 

[ChAoTiCpInOy]

A good way to have a secure password is making it extremely complicated and then writing it down and putting it in a safe place (ie locked/away from computer). If they need to be changed every so often, all you have to do is append a number and increment each time.

 

[Spoooon]

At my work place, we don't pick our own, they get picked for us.

I imagine if you were to look on the monitors or in the desks of most of the offices, you'd find a post-it with a bizarre string of 8 characters.

 

[FDF12389]

3 wrong tries, you're locked out for an hour.

Most companies wont do this because an account unlock is not gonna overload their helpdesk, and they don't want people shitter napping for an hour.

 

[Lifted]

1) We wish we could stop calling them passwords and start calling them passphrases.

2) This overly complex password issue that you describe is still vulnerable to keyloggers, as you noted.

The only method for removing keyloggers (and similar snooping) from the equation is two-factor authentication (RSA). Most companies don't want to spend the time & money to deploy such a solution, so they simple make the passwords overly complex and require changing them so often that the employees and helpdesk get frustrated.

These companies lack competent IT leadership. Chop off the fail at the head.

 

[Slew Foot]

Biometric readers. Done.