I I do tech support for an insurance company. Basically our customers can log onto our website to check on their coverage, make changes on their policy, etc, and I help people with technical problems on the website. Passwords for the site expire after 6 months. When that happens the customer gets a screen that says "Your password has expired. Click here to change your password." Today I got this call.

SC: I was trying to log in? And it says my password expired? Can you fix it?
Me: (sligtly confused as I'm not sure what the problem is). Are not able to change your password?
SC: No? (Everything he said was a question. Even answers to yes or no questions.)
Me: What happens when you try? Do you get an error message?
SC: Yes? It says my password has expired?
Me: Yes, and when you try to change your password, what happens?
SC: It ... says my password has expired?
Me: (Oh lordy, I've got a live one) Do you see where it says "Click here to change your password?
SC: Yes?
Me: Click there.
SC: Oh, so I just need to change my password? Thanks for your help? Bye?

Gah! Read the friggin' screen!

O_o.... My... my mind boggles at this.

... Someone neds soem coffee...

... and you need some cookies!

I hate sites that expire passwords. No better way to lose me as a member/customer than to make me change my password.

My school forces you to change your network password every 112 days. And you can't reuse passwords. I shudder to think how the IT staff gets treated because of it.

I hate sites that expire passwords. No better way to lose me as a member/customer than to make me change my password.

While it may seem very annoying, there are legitimate security reasons behind it. One can obtain your password in many ways, such as with keyloggers, packet interceptors, insecure databases, or even simple observation of your entering it. By forcing users to change passwords, it usually defeats these attempts as there is not enough time for them to be successful.

If they are successful, then that state of affairs lasts only 'till you notice or the next expiry.

So it's for your benefit in the end.

I hate sites that expire passwords. No better way to lose me as a member/customer than to make me change my password.

I suggest you get used to the idea. I've worked with companies that issued me a electronic keyfob that had the current password on it. Why? Their password changed every ten minutes. High security medical facility, if you're curious.

I have a master password that logs me onto the work system them a further 3 inner passwords after that for various applications, however all four passwords expire after different lengths of time so in addition to the PIN to my radio, the code for the building, the pin to access vehicle keys I sometimes get slightly confused! :lol:

While it may seem very annoying, there are legitimate security reasons behind it. One can obtain your password in many ways, such as with keyloggers, packet interceptors, insecure databases, or even simple observation of your entering it. By forcing users to change passwords, it usually defeats these attempts as there is not enough time for them to be successful.

If they are successful, then that state of affairs lasts only 'till you notice or the next expiry.

So it's for your benefit in the end.

I can understand it for banking and things like that.
But for a school web site?
But for a forum like this one?

OMG! I can really relate to the OP.

About 25% of my calls go like this:

Caller: My [software] says I need to activate? What do I do?

Me: Just go ahead and click the Activate button.

Caller: OH! [beat] Hey! It says I'm activated! Thanks!

Me: You're welcome. :rolleyes:

I guess some people just feel the need to ask permission to do anything.

My school forces you to change your network password every 112 days. And you can't reuse passwords. I shudder to think how the IT staff gets treated because of it.

There's a thread around here somewhere that shows how. ;)

I can understand it for banking and things like that.
But for a school web site?

School website would be usually for email or course management.

Course management usually has the student's financial and grade information. That right there is protected under FERPA, and that right there is some serious business.

Email passwords usually are the same logon as the network logon. If that got released into the wild, then you have the chance of an unauthorized user getting into the network, and then doing all kinds of nasty things.

All told though, I've never seen a forum that has required me to change my password.

But for a forum like this one?

Oddly enough, this software is set up as default to force Admins to change their passwords every six months.

That should kill the thread :p

Rapscallion

Oddly enough, this software is set up as default to force Admins to change their passwords every six months.

That should kill the thread :p

Rapscallion

I knew that since I run a vbulletin site/forum. Thats why I meantioned forums in my post.

As an aside, my bank - for online banking - makes me change my password every 3 months and use an RSA tag with a code that changes every 30 seconds based on an algorithm

So I have to put in the password and then transcribe an 8-digit code in the 30 second window to get in.

Annoying, but it adds an extra layer of complexity for anyone who wants to fuck with my meagre and insignificant finances.

Where I work we need a smart card, a pin number and 4 passwords (2 of which have to be changed frequently and must have letters numbers and nonalphanumeric characters, oh and be mixed case).
I am trained in data security so understand the need (the smart card and pin are for access to confidential patient data for the NHS) but during training it was recommended that we just change the number at the end! A good way to break the system.

Where I work we need a smart card, a pin number and 4 passwords (2 of which have to be changed frequently and must have letters numbers and nonalphanumeric characters, oh and be mixed case).
I am trained in data security so understand the need (the smart card and pin are for access to confidential patient data for the NHS) but during training it was recommended that we just change the number at the end! A good way to break the system.

I see that as insecure. To remember all that I would have to write all the passwords and pin down.

I see that as insecure. To remember all that I would have to write all the passwords and pin down.

Actually, I write most of my passwords down, but I do so in code. I keep the key algorithm to my code in my lockbox with my important paperwork (lease agreements, loan papers, insurance agreements, ect.) and in my head. If you saw my code sheet, it would look like a rough draft for a fanfic, or a grocery list. You might be able to break it, but there are easier pickings out there to go after that would take less time.

What kind of fanfic?

Jenni, taking this totalllllllllllllly OT. ;)

I suggest you get used to the idea. I've worked with companies that issued me a electronic keyfob that had the current password on it. Why? Their password changed every ten minutes. High security medical facility, if you're curious.

Yep, we had those sorts of things way back when I worked at Merck. But they were used for remote network access.

I see that as insecure. To remember all that I would have to write all the passwords and pin down.

The passwords don't all have to be different (the pin is a number of course).

I have a system and none of the passwords are written down. even if someone learned my password they wouldn't be able to guess it once changed (unlike adding to a number at the end)

Man. Love hearing about security systems. Or, well, technically insecurity systems. So many have these arbitrary and distressing requirements where it gets steadily less likely that it'll be something the average person can readily memorize. At which point, they have to write it down.

Defeating half the purpose of the arcane requirements.

Most security just has to use sensible precautions. 3 failures and there's an alert, and you need to talk to IT for a password reset. They call your supervisor, verify you, embarass you, and fix it. This actually does prevent the very brute-force methods that the extra symbols and characters are intended to fix.

I've heard some nice setups for dealing with human memory limitations. Partial passwords, patterns for numerics...

In trying to hunt down an old joke memo from years back including pretty much every artificial password restriction on the planet. (Punchline was "There is actually only one password that meets all of the above requirements, please see your supervisor for it.") I found an article explaining (http://www.securityfocus.com/infocus/1554) what I've always found silly about so many password requirements.

And, really, if your system administrator cannot protect your system from a brute-force attack (like, say, locking down any attempt with 3 failures.); they should be fired.

Love the bit about the keychain dongle for the 10-min passwords, Geek King. 'course, technically, that's not a password. That's a key. Same system that's used in hotels, when you get down to the basics. ;)

What kind of fanfic?

Jenni, taking this totalllllllllllllly OT. ;)

The last one I used was one my friend was working on. It was a "what if" type of fanfic dealing with what might have happened if Louise the wizard (from the anime whose tile is being translated as "Louise's Familiar" or "Zero's familiar") had summoned Dark Schnieder from the Bastard!! universe as her familliar, rather than the guy from the anime/manga. I think he's still working on it.

Currently, I have a list of ingrediants for white chicken chili serving as a password list. Sorry to dissapoint. :angel:

I <3 "Zero no Tsukaima"/"Zero's Familar" That show rocks i feel sorry for saito getting exploded every episode though