Password Audit time :)

[ImpulsE69]

Hah. I have you beat. Ours has been every 30 days for every system in the environment for the last year. It is SOOO annoying. I admin over 800 systems and while LDAP/AD helps for some, anything that requires local accounts (without the above) requires manual changing. Add to that they have all the "essential" password rules that just complicate things. On top of that everyone is required to "attest" to each system being changed monthly, but of course the attest system is completely screwy.

Basically, they've made it so it's just annoying, and really protects nothing because most people have now derived a system of just..well...you can figure it out...

Our management needs a kick in the head.

 

[Ruptga]

They are doing their job. I've seen customers fail audits just because their password length, complexity and age did not meet an industry or partner requirement. You can bet your ass if I owned a company, I wouldn't do business with one that had less security policy in place than my own.

The point of the quoted post was that more rules is not the same thing as better security. That was not an argument against having good security.

Good security is hard to circumvent. When the system is so complex and tedious that employees ignore it in favor of their own system (sticky notes, changing only one number per reset, etc) it becomes absurdly easy to circumvent.

Further, when you compare the ever-decreasing costs of RFID and fingerprint scanners with what password clusterfucks commonly cost in man-hours and productivity, traditional password solutions' ridiculousness becomes even more obvious.

 

[EliteRetard]

Wait people can't recall passwords? WTFBBQ?

I currently have 11 different passwords, from 12-64 characters (seriously who the hell puts a 12 character limit? I wish I could do 64+ characters everywhere) and they all use a variety of numbers, letters (upper and lower), and special characters if allowed. I have no problems remembering any of them.

Its so easy to do...it's like saying you can't recall your name. In fact if you're that bad why not just use a variation on your name?

Billy Joe Bob
Password:
100$potatoLAST2@2
Billy (bills, money, cash) Joe (joe joes? those fried potato things) Bob (last name 2 b's also letter number 2, @ for o)

variation:
JHONNY$d33pfried@202

Add an acronym (or whatever) where using this password to make it longer and easier to recall
Example for a network password:

r0ut3rFINANCIAL$098yummyPOTATO@202

Whole words aren't the best, and there's a lot you can do to improve these passwords...but this would be far better than a stupid crap password, or saving them all in a text document for anybody to read.

It's possible even with a stupid name like: Jacqueline Harrison Bernadette

Jack a lean? Pumpkins (jack o lantern)? Gasoline?
Hair son? Wigs? Harrison Ford? Cars? Trucks?
Burn a debt? Fire? Baguette? French (dette)?

Could use the make/model of your car, the type of pet you have, the name of the city/state where you live, or simply make something up. Seriously if you can't make a decent password and remember it you deserve to have all your crap stolen.

 

[gothamhunter]

Overly complicated passwords within an internal network should be unnecessary if the admins have good firewalls in place.

Yeah, because there are no internal risks. Where do you work? I need a job.

 

[HydroSqueegee]

Common Access Card. one pin to rule them all! except on the systems that dont take the CAC.

 

[GobBluth]

Yeah, because there are no internal risks. Where do you work? I need a job.

^this

Insider threat brah.... twice as many info compromises from from inside-out then they do from outside-in..

 

[ShawnD1]

Please tell me you meant the presence of alcohol.

Drinking until you pass out 1 time will probably not show up in your hair. Consistently drinking does show up. Same deal with other drugs. You were smoking crack all of the last two months? You can pass the piss test but your hair will tell us the whole story.
edit: of course nobody does the hair test because it's far far more expensive. It involves running samples through a machine called a gas chromatograph, which costs anywhere from $100,000 to $500,000.

They do the cheap piss test because all they really care about is that you're smart enough to stop smoking crack for at least 3 days. If you can't even stop for 3 days, you're too much of a piece of shit to work at any job.

 

[Red Storm]

Drinking until you pass out 1 time will probably not show up in your hair. Consistently drinking does show up. Same deal with other drugs. You were smoking crack all of the last two months? You can pass the piss test but your hair will tell us the whole story.

Time to shave!

I remember my dad worked at a data center that had the whole hand print security thing. You used your right to gain access. If you were ever being forced into the building, using your left hand would trigger a silent alarm and alert security. Thought that was pretty neat, though it kinda makes you go :| when you see movies and shows that gloss over basic security measures that counter the hollywood stuff.

 

[Dirigible]

How many times have you seen this on your network.. here's my password and all my info. I went in to an office, the guy has a wall of password on post it pads, 4 across and 4 down. Its like they dont even try to hide it

Why would I hide it? Hiding it would slow me down when I need to sign in. My passwords are on a sticky note stuck to the monitor. :thumbsup:

 

[ShawnD1]

Why would I hide it? Hiding it would slow me down when I need to sign in. My passwords are on a sticky note stuck to the monitor. :thumbsup:

I just write down the numbers and signs. The sticky pad might say something like "7890!" but that's only half of the password.

 

[Red Squirrel]

Part of the issue is the stupid password policies that are put in place and the fact that there's so many freaking passwords. To me the worse thing is making them expire. Go ahead and make a policy that requires at least 10 characters, but don't make me change it every freaking month, because I WILL have to write it down. At work I use "Pins" to store all my passwords though. But to avoid having to constantly go in there most of my passwords are all the same and I try to change them at the same time when one of them expires.

Expiry is more or less pointless though, if by chance someone is trying to brute force my password, what's to say that when I change it, I pick a password that was not tried yet? Only time changing a password makes sense is if you suspect or know someone else knows it.

 

[Red Storm]

Part of the issue is the stupid password policies that are put in place and the fact that there's so many freaking passwords. To me the worse thing is making them expire. Go ahead and make a policy that requires at least 10 characters, but don't make me change it every freaking month, because I WILL have to write it down. At work I use "Pins" to store all my passwords though. But to avoid having to constantly go in there most of my passwords are all the same and I try to change them at the same time when one of them expires.

Expiry is more or less pointless though, if by chance someone is trying to brute force my password, what's to say that when I change it, I pick a password that was not tried yet? Only time changing a password makes sense is if you suspect or know someone else knows it.

My student loan account is like this. I basically gave up trying to remember it cause it has to be very complex, expires and the new one can't be anything like the previous one. Every single time I login (maybe once a month) I end up having to do a password reset. :|

 

[BoberFett]

Obligatory http://xkcd.com/936/

 

[Red Squirrel]

Obligatory http://xkcd.com/936/

Hahaha yep, that's pretty much how it is lol.

 

[Anubis]

Wait people can't recall passwords?.

i can recall them just fine if they are used somewhat frequently, the ones i can never remember are the ones i used once a quarter and have stupid requirements like caps and symbols

i have to change it every 3 months at work and its annoying and has gotten me locked out of my comp more than once because i keep entering the old one. so i simply started using the same one ever time with a # at the end the i simply increase by 1 every time i have to change it

 

[MotionMan]

At my dad's work, he would have to change his password once a WEEK, it had to have at least one capital and 1 number and a password could not be repeated for a year.

He would hang the 49ers team picture on his wall and start from the first guy in the first row and work his way through the picture until the next years picture came out (i.e. "Montana16", "Rice80", etc.)

MotionMan

 

[olds]

When we had a 30 day password policy, it was easy. My password for June was Junboat12. July it was Julboat12 Month boat year. I could use the same password for everything and they'd expire at the same time.

Then they changed some to 90 days. Now they don't synch up. What's someone going to do, steal one of my PowerPoints and teach a class?

 

[Howard]

Drinking until you pass out 1 time will probably not show up in your hair. Consistently drinking does show up. Same deal with other drugs. You were smoking crack all of the last two months? You can pass the piss test but your hair will tell us the whole story.
edit: of course nobody does the hair test because it's far far more expensive. It involves running samples through a machine called a gas chromatograph, which costs anywhere from $100,000 to $500,000.

They do the cheap piss test because all they really care about is that you're smart enough to stop smoking crack for at least 3 days. If you can't even stop for 3 days, you're too much of a piece of shit to work at any job.

Our company picked up a GC for about $40,000 new several years ago.

 

[Phoenix86]

When we had a 30 day password policy, it was easy. My password for June was Junboat12. July it was Julboat12 Month boat year. I could use the same password for everything and they'd expire at the same time.

Then they changed some to 90 days. Now they don't synch up. What's someone going to do, steal one of my PowerPoints and teach a class?

Use the seasons.

correcthorsebatterystaple doesn't meet the requirements of any system I have used in eons, but of course is more secure.

My last job required ~8 different passwords (varying rules on each system so no 2 would ever line up) over 30 systems. When one required a reset I did them all. I didn't access many systems but once every 2-3 months so that was fun...

 

[KMFJD]

I have over 50 different passwords that need to be changed every month, takes almost half the day just to change them all....

 

[Wyndru]

Yes but if the admins don't do that then you get idiot end users using Password1 or Hello123 for their passwords. It's a tricky thing to balance and ideally the end users would understand why password complexity is a necessary thing now.

Some are overkill though. I worked for a place that had the high restrictions on their citrix system. It expired 1/month and IIRC it was 8 chars - at least one each: number, letter, capital, special char, no dictionary terms, no names. It also added the additional annoyance of NEVER letting you repeat similar sequences from previous passwords. I figured, after 7 or 8 passwords I could use a similar sequence, nope it would still fail. It had to be completely unique every time.

That was the only place I had them stored in another pw protected file, because otherwise I couldn't remember what I had already used in the past.

 

[jamesbond007]

I have over 50 different passwords that need to be changed every month, takes almost half the day just to change them all....

If this is true, I really feel sorry for you. I use a program on my iPhone called SplashID that houses all of my passwords. The data on the phone itself is encrypted. This way, I don't have 200 passwords on notes around my screens and I always have them with me. Best $10 I ever spent!

Anyway, I am a System Administrator and it is very entertaining to read all the posts here. I do feel sorry for those of you who need to have so many for the variety of systems at work. When choosing company software, it's a high priority to choose systems that integrate with AD for authentication so users don't have to go through all the hell you guys are facing.

I implement a semi-strong secure password length of 8 characters and require just two of the following 3 rules: one capital letter, one number, and one special character. The rotation is every 6 months, which I think is quite fair. Also, you can't use any part of your name(s) or your phone extension.

I'm curious what your thoughts are on mobile device passwords? Though we do not enforce phone data encryption (it makes a phone crawl!) we do require a simple password that rotates every 6 months as well. It's not unheard of for someone to misplace or lose their phone and a client contact list is considered highly valuable. Granted, I'm sure it wouldn't take too long to bypass the passwords, but it ought to keep someone out long enough to do a locate if it's still powered on. :awe:

 

[JimKiler]

Wait people can't recall passwords? WTFBBQ?

I currently have 11 different passwords, from 12-64 characters (seriously who the hell puts a 12 character limit? I wish I could do 64+ characters everywhere) and they all use a variety of numbers, letters (upper and lower), and special characters if allowed. I have no problems remembering any of them.

Its so easy to do...it's like saying you can't recall your name. In fact if you're that bad why not just use a variation on your name?

Billy Joe Bob
Password:
100$potatoLAST2@2
Billy (bills, money, cash) Joe (joe joes? those fried potato things) Bob (last name 2 b's also letter number 2, @ for o)

variation:
JHONNY$d33pfried@202

Add an acronym (or whatever) where using this password to make it longer and easier to recall
Example for a network password:

r0ut3rFINANCIAL$098yummyPOTATO@202

Whole words aren't the best, and there's a lot you can do to improve these passwords...but this would be far better than a stupid crap password, or saving them all in a text document for anybody to read.

It's possible even with a stupid name like: Jacqueline Harrison Bernadette

Jack a lean? Pumpkins (jack o lantern)? Gasoline?
Hair son? Wigs? Harrison Ford? Cars? Trucks?
Burn a debt? Fire? Baguette? French (dette)?

Could use the make/model of your car, the type of pet you have, the name of the city/state where you live, or simply make something up. Seriously if you can't make a decent password and remember it you deserve to have all your crap stolen.

Sorry i do not like reusing the same base password with variations, it messes me up to much when i change them every 90 days. I prefer random words strung together instead like red cabbage or green pancakes. I can remember those.

 

[EliteRetard]

Nothing wrong with that, but you could make the password much stronger with some simple changes. Use upper/lower case and add even a single number and special character. Red3@Cabbage7

My suggestion was more for average users who don't have to change their password. If they can recall their name or email address it should be simple to create a strong password that's easily remembered. If you can remember babyboo609@yahoo.net (EDIT: Sorry I don't know if that's a real email or not, just an example) then you can make a strong password that contains all four options of upper/lower case letters, numbers, and special characters, and make it long enough to be virtually hack proof (anybody that could hack the password would certainly not waste the time/effort on an average user).

Like I suggested, you can use some weird variation of your name to make it easier to recall, or just make something up...but it's not hard to take a simple password and make it better with some changes, that are usually required anyway.

Another example was to use the name or number of the account as part of the password to help you recall which goes to where.

Bank: @Over9000Do$$ars
Email: #1fastestMALE@69
Work: $tation13@NODE24
???: IAM@hotAGENT#007

These passwords took me no time at all to think up, easy to remember and are far more secure than a simple 8 character password. Ten seconds to make sure they were all 16 characters. Even if I had to change my passwords every 90 days I'm certain I could recall 10 or so good unique passwords. 50 would probably be a stretch, but as has been mentioned, there are far more secure ways of storing passwords than on a sticky note and saved in a word document on your desktop.

There's simply no excuse for terrible piss poor security.

 

[Howard]

Symbols are stupid. Anyone who thinks symbols are smart should be shot.