• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Manager does not believe in enforcing strong passwords...

P

promposive

Senior member
We are developing an online web application that is accessible by anyone on the internet. It will have things such as customer information (names, phone #s, addresses, SSNs, drivers license, etc..), banking information, and eventually accepting online payments.

I recently added a feature to the software that required new accounts to use "strong" passwords by requiring it to be at least 8 characters long, 1 uppercase, 1 lowercase, 1 number, and 1 special character.

Today I was told to get rid of it by the manager because he doesn't like having strong passwords required...


What are your thoughts on forcing users of such an online system to have strong passwords?
 
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail
 
That's a little overboard IMO. Add some digits and I'm happy.

Also get all of this documented in emails so if something does go wrong you can say "Hey, back on mm/dd/yy I said you were an idiot".
 
Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail
Click to expand...

Without a doubt.

There is no way around peoples stupidity. Social engineering says that people will write down that password, or forget it and have to recover it everytime they login.
 
Originally posted by: nakedfrog
That's a great password scheme... if you want people to write their passwords down.
Click to expand...

8 characters is not unreasonable. Now, the 15 character passwords I'm required to use are a problem. I have to keep a list of my passwords for the different work environments on a spreadsheet here at work.
 
Do you report to him? Do what he's telling you to do. If you feel strongly enough about it, submit an email outlining your thoughts on the matter but make it clear you're willing to do as he decides.

As for strong passwords on sites, it's your job to help the decision-maker on the project make an informed decision, not make it for them.
 
Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail
Click to expand...

So you are saying that "1aBc" is an ok password to secure such information?
 
That is far too stringent a policy and would lead to a lot of calls / problems because users would forget their passwords. If they didn't forget them, a lot of them will write the password down, thus making the system LESS secure overall.
 
Originally posted by: C0BRA99
I recently added a feature to the software that required new accounts to use "strong" passwords by requiring it to be at least 8 characters long, 1 uppercase, 1 lowercase, 1 number, and 1 special character.
Click to expand...

thats a bit overboard
 
Originally posted by: C0BRA99
Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail
Click to expand...

So you are saying that "1aBc" is an ok password to secure such information?
Click to expand...

no

Num + letter + 6 chars min is fine no need for special chars unless you want people to use the "i forgot my password" reset tool every single time they log in
 
Originally posted by: C0BRA99
Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail
Click to expand...

So you are saying that "1aBc" is an ok password to secure such information?
Click to expand...

if you extend it to 8 characters =P

My company has a bullshit policy where the PW expires every 3 weeks, and you can never have identical passwords.

Guess what, everybody here writes down their goddamn password because after the umpteenth password you don't remember what the fuck it is anymore, and you don't wanna get locked out.

My ideal password is 8-12, min 1 number + 1 caps
 
Originally posted by: C0BRA99
Originally posted by: Ns1
that's pretty asinine

num + letter = ok
num + letter + uppercase + lowercase = ok
num + letter + uppercase + lowercase + special character = fail
Click to expand...

So you are saying that "1aBc" is an ok password to secure such information?
Click to expand...

I don't see where he mentioned length 😉

Maybe you could add code to detect brute force attacks? Doesn't seem like it would be that complicated.
 
You shouldnt have to do all those things. Where I work you pick 3 of the 4.

I.e.

> 8 characters, num + letter + uppercase + special character

Therefore, 123456Aa would work, or 123456A# would work or abcdefG# would work.
 
my passwords at work have to be 15 chars long, 1 upper, 1 lower, 1 number, 1 special character. Oh and you can never repeat a password.
 
Originally posted by: Feldenak
Originally posted by: nakedfrog
That's a great password scheme... if you want people to write their passwords down.
Click to expand...

8 characters is not unreasonable. Now, the 15 character passwords I'm required to use are a problem. I have to keep a list of my passwords for the different work environments on a spreadsheet here at work.
Click to expand...

i hope that this spreadsheet is secure. there *are* password managers out there that let you secure a list of passwords with a single password.
 
Way to much. 8 characters, any mix. I have so many damn passwords at work that most co-workers write them all down. I forgot two last week because I just changed them for the umpteenth time.
 
As long as the password only grants access to the information for the person who created the password, then it's no big deal. You could suggest that they use a strong password, and you could include a javascript password strength checker next to the password box, but ultimately the user is responsible for the security of their own information.
 
Originally posted by: xSauronx
Originally posted by: Feldenak
Originally posted by: nakedfrog
That's a great password scheme... if you want people to write their passwords down.
Click to expand...

8 characters is not unreasonable. Now, the 15 character passwords I'm required to use are a problem. I have to keep a list of my passwords for the different work environments on a spreadsheet here at work.
Click to expand...

i hope that this spreadsheet is secure. there *are* password managers out there that let you secure a list of passwords with a single password.
Click to expand...

It's in my network drive so I can access it on my telework days. At least I don't need a password to log on to the system. My CAC will let me log on and get to my network drive.

Originally posted by: Codewiz
my passwords at work have to be 15 chars long, 1 upper, 1 lower, 1 number, 1 special character. Oh and you can never repeat a password.
Click to expand...

Gubmint?
 
Originally posted by: C0BRA99
This page has an interesting chart on time required to crack passwords:
http://uwadmnweb.uwyo.edu/info...security/passwords.htm

Of course the chart is based on 100,00 encryption operations per second, and that wouldn't really be an option just brute force in this case...

Maybe I will remove the special character requirement
8 Characters +upper + lower + number = 17 years
Click to expand...
Click to expand...

that site does not list that
8 Characters +upper + lower + number = forget password every week need to reset
 
Originally posted by: nakedfrog
That's a great password scheme... if you want people to write their passwords down.
Click to expand...

Exactly. We just received a notice at my company yesterday requiring exactly what is written in the OPs requirements. My first comments to some IT buddies:

I can see the headlines now:

"External Break-Ins Down!"

"3M Sees Massive Demand Spike in Sticky Notes Consumption"

**EDIT** Actually, I believe we may have to choose 3 of the 4. I still believe the above articles will apply to my work environment. We have to change our passwords frequently so I have no doubt the help desk calls will escalate once this is implemented.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top