Manager does not believe in enforcing strong passwords...

[promposive]

We are developing an online web application that is accessible by anyone on the internet. It will have things such as customer information (names, phone #s, addresses, SSNs, drivers license, etc..), banking information, and eventually accepting online payments.

I recently added a feature to the software that required new accounts to use "strong" passwords by requiring it to be at least 8 characters long, 1 uppercase, 1 lowercase, 1 number, and 1 special character.

Today I was told to get rid of it by the manager because he doesn't like having strong passwords required...


What are your thoughts on forcing users of such an online system to have strong passwords?

 

[nakedfrog]

That's a great password scheme... if you want people to write their passwords down.

 

[cirrhosis]

Your manager sucks.

 

[Ns1]

that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail

 

[TwiceOver]

That's a little overboard IMO. Add some digits and I'm happy.

Also get all of this documented in emails so if something does go wrong you can say "Hey, back on mm/dd/yy I said you were an idiot".

 

[DisgruntledVirus]

Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail

Without a doubt.

There is no way around peoples stupidity. Social engineering says that people will write down that password, or forget it and have to recover it everytime they login.

 

[Feldenak]

Originally posted by: nakedfrog
That's a great password scheme... if you want people to write their passwords down.

8 characters is not unreasonable. Now, the 15 character passwords I'm required to use are a problem. I have to keep a list of my passwords for the different work environments on a spreadsheet here at work.

 

[rivan]

Do you report to him? Do what he's telling you to do. If you feel strongly enough about it, submit an email outlining your thoughts on the matter but make it clear you're willing to do as he decides.

As for strong passwords on sites, it's your job to help the decision-maker on the project make an informed decision, not make it for them.

 

[promposive]

Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail

So you are saying that "1aBc" is an ok password to secure such information?

 

[slsmnaz]

based on the info you say will be avail I would try and convince him to keep it.

 

[torpid]

That is far too stringent a policy and would lead to a lot of calls / problems because users would forget their passwords. If they didn't forget them, a lot of them will write the password down, thus making the system LESS secure overall.

 

[miketheidiot]

Originally posted by: C0BRA99
I recently added a feature to the software that required new accounts to use "strong" passwords by requiring it to be at least 8 characters long, 1 uppercase, 1 lowercase, 1 number, and 1 special character.

thats a bit overboard

 

[Anubis]

Originally posted by: C0BRA99

Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail

So you are saying that "1aBc" is an ok password to secure such information?

no

Num + letter + 6 chars min is fine no need for special chars unless you want people to use the "i forgot my password" reset tool every single time they log in

 

[Ns1]

Originally posted by: C0BRA99

Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail

So you are saying that "1aBc" is an ok password to secure such information?

if you extend it to 8 characters =P

My company has a bullshit policy where the PW expires every 3 weeks, and you can never have identical passwords.

Guess what, everybody here writes down their goddamn password because after the umpteenth password you don't remember what the fuck it is anymore, and you don't wanna get locked out.

My ideal password is 8-12, min 1 number + 1 caps

 

[nakedfrog]

Originally posted by: C0BRA99

Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail

So you are saying that "1aBc" is an ok password to secure such information?

I don't see where he mentioned length

Maybe you could add code to detect brute force attacks? Doesn't seem like it would be that complicated.

 

[bignateyk]

You shouldnt have to do all those things. Where I work you pick 3 of the 4.

I.e.

> 8 characters, num + letter + uppercase + special character

Therefore, 123456Aa would work, or 123456A# would work or abcdefG# would work.

 

[Codewiz]

my passwords at work have to be 15 chars long, 1 upper, 1 lower, 1 number, 1 special character. Oh and you can never repeat a password.

 

[xSauronx]

Originally posted by: Feldenak

Originally posted by: nakedfrog
That's a great password scheme... if you want people to write their passwords down.

8 characters is not unreasonable. Now, the 15 character passwords I'm required to use are a problem. I have to keep a list of my passwords for the different work environments on a spreadsheet here at work.

i hope that this spreadsheet is secure. there *are* password managers out there that let you secure a list of passwords with a single password.

 

[promposive]

This page has an interesting chart on time required to crack passwords:
http://uwadmnweb.uwyo.edu/info...security/passwords.htm

Of course the chart is based on 100,00 encryption operations per second, and that wouldn't really be an option just brute force in this case...

Maybe I will remove the special character requirement

8 Characters +upper + lower + number = 17 years

 

[TallBill]

Way to much. 8 characters, any mix. I have so many damn passwords at work that most co-workers write them all down. I forgot two last week because I just changed them for the umpteenth time.

 

[mugs]

As long as the password only grants access to the information for the person who created the password, then it's no big deal. You could suggest that they use a strong password, and you could include a javascript password strength checker next to the password box, but ultimately the user is responsible for the security of their own information.

 

[Feldenak]

Originally posted by: xSauronx

Originally posted by: Feldenak

Originally posted by: nakedfrog
That's a great password scheme... if you want people to write their passwords down.

8 characters is not unreasonable. Now, the 15 character passwords I'm required to use are a problem. I have to keep a list of my passwords for the different work environments on a spreadsheet here at work.

i hope that this spreadsheet is secure. there *are* password managers out there that let you secure a list of passwords with a single password.

It's in my network drive so I can access it on my telework days. At least I don't need a password to log on to the system. My CAC will let me log on and get to my network drive.

Originally posted by: Codewiz
my passwords at work have to be 15 chars long, 1 upper, 1 lower, 1 number, 1 special character. Oh and you can never repeat a password.

Gubmint?

 

[Anubis]

Originally posted by: C0BRA99
This page has an interesting chart on time required to crack passwords:
http://uwadmnweb.uwyo.edu/info...security/passwords.htm

Of course the chart is based on 100,00 encryption operations per second, and that wouldn't really be an option just brute force in this case...

Maybe I will remove the special character requirement

8 Characters +upper + lower + number = 17 years

that site does not list that
8 Characters +upper + lower + number = forget password every week need to reset

 

[spidey07]

That is TOO strong. Your manager is correct. Banks don't even require that much.

 

[Fingolfin269]

Originally posted by: nakedfrog
That's a great password scheme... if you want people to write their passwords down.

Exactly. We just received a notice at my company yesterday requiring exactly what is written in the OPs requirements. My first comments to some IT buddies:

I can see the headlines now:

"External Break-Ins Down!"

"3M Sees Massive Demand Spike in Sticky Notes Consumption"

**EDIT** Actually, I believe we may have to choose 3 of the 4. I still believe the above articles will apply to my work environment. We have to change our passwords frequently so I have no doubt the help desk calls will escalate once this is implemented.