It suprises me how often people forget their passwords

[corwin]

Publicly traded company?

Nope, though we are owned by Berkshire Hathaway and get to deal with some of their stupid requirements...pretty sure this is just our stupid VOIP system

 

[bignateyk]

Nope, though we are owned by Berkshire Hathaway and get to deal with some of their stupid requirements...pretty sure this is just our stupid VOIP system

Our VOIP system makes us change our VM password periodically too.

The hardest part of my job is trying to remember all the god damn passwords I need. Beyond VM and the 4 different computer networks, we have safe combinations and door combinations for every area of the building that change on a monthly basis.

 

[corwin]

Having to change your VM password is pretty retarded. There are two motivations behind forcing users to change network passwords: 1) rarely, employees may need to share their password with someone else (not saying it's okay, just saying it happens). Forcing it to be changed locks anyone with whom it's been shared out of using it again (unless they remember to just increment it by 1, of course). 2) to thwart guesses / brute-force attacks, which is stupid, since 99.9% of companies lock out the account after the third attempt.

But there's never any reason to share a VM password, and no one would ever be trying to guess it. And even if they did, voicemails don't/shouldn't contain sensitive information.

Exactly, I do have to get user passwords when building a new laptop for a remote user who won't be able to log in on the domain to setup their profile, but I always advise them to change it when they log in for the first time...and we even have a network password management system that doesn't let you just change the last character...however it's not quite smart enough to know if you just change the first one

 

[AyashiKaibutsu]

Must have 2 lower case 2 upper case 2 special characters 2 numbers in the first 10 characters must be 16 characters long must not have a recognized patterns they've thought of or anything they've decided on a special case would be unsecure. Must change every 6 months must not match any previous passwords. Yea, f password requirements.

 

[bignateyk]

Must have 2 lower case 2 upper case 2 special characters 2 numbers in the first 10 characters must be 16 characters long must not have a recognized patterns they've thought of or anything they've decided on a special case would be unsecure. Must change every 6 months must not match any previous passwords. Yea, f password requirements.

This is ours, but it changes every 2 weeks, and we have 4 different computer networks. FML

 

[IceBergSLiM]

Passwords have severely outlived their usefulness. They are a hassle and mostly useless. The password rules make them increasingly difficult for humans to remember but not much more difficult for computers to crack.

ALternatives:

Passkeys + images + patterns or biometrics.

 

[Exterous]

Work vs. non-work is entirely irrelevant

I do not subscribe to the theory that all passwords carry the same importance as your work one (which is not to say your work password is the most important password you will ever use) My password for DIYchatroom is not as important as my work or my bank or my retirement password. I will expend more effort to remember and create a password for places that carry (rightfully so) more importance in my life.

You should print a piece of paper to that effect and pin it to your cubicle. I'm sure everyone will bow in awe. Oh wait, no one gives a fuck since the topic of "passwords" is #283,845 on the list of things people give a crap about... unless you're a grumpy network admin.

Woah - easy there. You were the one who made the comment about having to use the 'forgot password funtion'. I was just responding to that. If you hadn't said that I would not have made my comment.

The funny thing is, you're railing against "users" because "it's a WORK password!", yet part of your "work" is assisting users with their passwords. If one is to be classified as failing, so must the other.

Your comparison is inaccurate. It would only be a 'failing' if I didn't assist them. I met my job responsibility by assisting them quickly and politely

Christ man, did I hit a nerve or something? You seem way more worked up over this than you should be - it certainly seems like you are much more worked up than I am. Besides its not like this is the first time in the history of man that someone has complained about some aspect of their work. Oh Lordy Lordy Lordy - someone gets annoyed about an aspect of their job! Mercy me what has the world come to??!!!!

 

[Gibson486]

sure, let me make a new password every 90 days....

that cannot be the same as the previous 6 passwords, must have numbers and letters and characters, cannot contain my name, cannot contain the previous password (so instead of test123, i cannot use test1234), oh and it has to be non vulgar.

 

[lozina]

I have 3 "levels" of passwords. I have one simple password for all my forums and minor accounts of shit that are really no consequence if someone gets it. Then I have my level 2 password for more sensitive stuff like game accounts and then finally my level 3 password for stuff like finances. But I share the same password for each level. This way its easier for me to memorize.

The dumbest thing is the forced pw change because then you are pretty much forced to write passwords down and then thats the worst security

 

[Exterous]

Any unjustifiable security requirements that obstruct this goal need to be swept aside.

Honest question: Do you think having one password that never changes and has to be 4 characters long and another one that does change and has to be 6 characters long and include two of the following: lower case, upper case, number, special characters unjustifiable?

 

[DrPizza]

itsironicthatthiseasytorememberphrase is a better password than most of the algorithms given by companies (2 numbers, upper and lower case, etc.)

I'm thankful that the login here allows 5 tries. I can't count the number of times I got it on the 4th or 5th attempt. (I've never gone over.) And, it's only a few characters beyond 10.
Also, the OP is full of it if he has different, unique passwords for every site he goes to, and changes passwords fairly regularly; yet never needs to write them down, and never forgets them.

 

[DrPizza]

Honest question: Do you think having one password that never changes and has to be 4 characters long and another one that does change and has to be 6 characters long and include two of the following: lower case, upper case, number, special characters unjustifiable?

No, I think that requirement is retarded. A 4 character password can be brute force attacked in under a second. A 6 character password, with those requirements, under a minute I believe. Unless, you lock out a user after 3 attempts, in which case, why do you bother with the constant changes of passwords and the case/special character requirement?

 

[ultimatebob]

I can remember passwords where the password rules are reasonable.... but when an admin requires a 12 character password with mixed case and numbers that needs to be reset every 30 days? Like most people, I'll write it down on a Post-It note or in a file called passwords.txt.

Congratulations, hot shot IT admin... your stupid security policy backfired, and made an even bigger security hole than what was there before.

 

[LiuKangBakinPie]

Been using Lastpass for years without problems

 

[Exterous]

Also, the OP is full of it if he has different, unique passwords for every site he goes to, and changes passwords fairly regularly; yet never needs to write them down, and never forgets them.

I never said I have different unique passwords for every site I go to, never forget them, dont write them down etc etc. I said I have never forgotten my WORK password. I'll give you that the 'way more than 2' was general but the intent was I have way more than 2 work passwords to remember.

 

[kranky]

I don't care how tough the password requirements are. Just stop making me change it! When will they learn it only weakens security because people start writing them down just to survive.

 

[Exterous]

No, I think that requirement is retarded. A 4 character password can be brute force attacked in under a second. A 6 character password, with those requirements, under a minute I believe. Unless, you lock out a user after 3 attempts, in which case, why do you bother with the constant changes of passwords and the case/special character requirement?

We have an internal only network of computers used for testing product. We hire a lot of temps for short periods of time (sometimes as little as 1 day) to deal with rapid demand changes. The 4 character PW is required for some users with certain access to prevent a temp from using the same system and quickly granting access to product/inventory information. The general thought is the chances of one of them brute forcing it is less since it is isolated from the world at large

The lockout for the network password is five attempts. I have been told that the password change was mandatory once we received a couple of government contracts - but I am hearing that third hand. I dont know if the network admin at the time just decided to do that or if that was a stipulation of the contract

Since I've started we don't have any government contracts and my boss is still on medical leave *shrug*

 

[LiuKangBakinPie]

Easy to create one that is secure

Jack be nimble, Jack be quick = JbeN#jbq1
Use an expression inspired by the name of a city:
I love Paris in the springtime = 1LpntST!
Chicago is my kind of town = C1mYK0t
Use lines from a song:
You can't always get what you want = uC4n+agwUw!

 

[Exterous]

I think you hit a nerve with most people here, because our jobs/lives are often inhibited by ridiculous yet ineffective password requirements.

So I have noticed. Although - if anything it has reinforced my belief that our requirements are not nearly as much of an inconvienence as they could be. Our users should be rejoicing that their network benefactors (some might say overloards) are so fair and just with them!

You can be as idealistic as you want ("more effort should be spent remembering work passwords"), but the fact is, many people have to remember/use 15+ passwords a day, and most of those carry asinine requirements and they require change at varying intervals.

I would have though those would make it even easier to either remember the work ones or deal with potentially less restrictive requirements

You do realize this is a DISCUSSION FORUM, right? If you bitch, people will respond and either agree or disagree. Oh Lory Lordy Lordy, can you handle that? If not, why are you posting here?

Well sure but I didn't expect such vitriol. I didn't realize password requirements generated so much hate and angst. But maybe you just hate passwords so much because it makes it harder to sabatoge the Iranian nuclear reactors?

 

[Ayrahvon]

This thread reminded me of an XKCD. http://xkcd.com/936/

 

[KeithTalent]

I keep a text file going with all of my passwords; the number of applications I use and the frequency with which I need to change the passwords for them, makes it impossible to remember.

KT

 

[bfdd]

I use like 5 bases for my password generation, I never forget them, just specifically which one I used on which site lol

 

[Jeff7]

This thread reminded me of an XKCD. http://xkcd.com/936/

Precisely.

Changing your password from hamburger to cheeseburger does not count as being more complex.

hamburger = 9 characters
cheeseburger = 12 characters

I've also switched over to that sort of thing for important passwords. It would probably take a long time for a supercomputer to crack 25+ characters, especially if they don't know the formatting of the password, or the pool of used characters is.
Maybe it's all lowercase. Or maybe it has punctuation and numbers, and if the thing supports it, special characters. Γø

As the password gets longer, the # of combinations increases exponentially. Putting special characters or other things in there means the pool of characters that must be tried is larger, which adds a lot more time to a cracking operation.

(This is assuming someone's trying to brute-force your password, and not the encryption key itself.)


In any case, I keep my passwords in a thoroughly-encrypted location.

 

[AMCRambler]

Nope. Do you really think a company who has overzealous password requirements would let you install that on a company PC? Therefore, a mobile client to facilitate cheating is required :twisted:

There are solutions out there - some free - that store your passwords in a centralized location so you can access them from a variety of clients, but then you're trusting ALL of your passwords to a single third party. That's when I put my tin foil hat on.

Password Safe doesn't require admin privileges to install. In addition you can copy the program folder and password vault file to a thumb drive, take it with you and run it on any pc you may end up using. You only have to remember one password to get in and get all your other passwords. Pain in the butt is maintaining the passwords every time they change, you need to update password safe.

 

[Fingolfin269]

We have about 8 different logins now so yeah it's annoying. That's ok though, easily solved with a sticky note!