Announcement

Collapse
No announcement yet.

Password Requirements are Non-Negotiable

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Password Requirements are Non-Negotiable

    Just had a call with another luser.

    She'd called earlier to have her password reset. But the password provided wasn't working. (After dealing with her, I have my doubts that the password was wrong, but whatever.)

    So I reset her password for her again and stay on the line to make sure she can get in. After a couple of misunderstandings, she gets the password entered correctly and now has to reset it herself.

    For a few minutes, she keeps insisting it's not working. I verify she's using the temporary password I gave her as the "old" password. Yes. But it's not accepting her new password.

    So I run down the list.

    J2K: "Are you using upper-case, lower-case, and numbers?"
    Her: "Yes."
    J2K: "Is it at least 12 characters long?"
    Her: "Oh, it's gotta be 12?"
    J2K: "Yes."
    Her: "Not 8?"
    J2K: "No."
    Her: "Can I go 10?"
    J2K: "...No."

    Seriously?
    PWNADE(TM) - Serve up a glass today! | PWNZER - An act of pwnage so awesome, it's like the victim got hit by a tank.

    There are only Four Horsemen of the Apocalypse because I choose to walk!

  • #2
    I know the feeling. I worked a comcast call center for a while.

    I had this one woman that made me so upset they had to take me off the phones for an hour and a half because I was crying and shaking. She called me every name in the book, and incompetent and liar were the nicest of them. We weren't allowed to hang up on the customers no matter how abusive they were, and I tried to get a supervisor to take the call but he couldn't get to me fast enough. It was so bad that the other chairs around me could actually hear her and I had the guy next to me standing behind me with his hand on my shoulder. By the time she finally hung up (the supervisor didn't get to me until seconds before she hung up), there were finger prints in the chair. I had been talking to one of the techs over the chat they use in the company for technical help and told him what was going on. When she finally hung up, he asked if I were ok. He and the supervisor took me off the phones or I'd have walked out right then and there. All because comcast (at the time) used 8 digits in its passwords instead of the traditional 6.

    Never have I been so abused by a customer, not before or since then.

    I have stories like the woman whose kids used their modem as a football. And another women that dropped soda on her modem, filled the bathroom sink with water, and put the modem in it to clean it then plugged it back in.

    Seriously, if a person can't understand basic fundamental things like you shouldn't put electronics in water, then you shouldn't own anything computerized because you're too stupid for technology.

    Comment


    • #3
      Your problem is why my Mom's boss pays me to come in during updates and required password changes. I have a book of words each of the staff likes. I make them their own password, reset it for them, tell them what it is and move on to the next one. During updates or times when serious fixing needs to be done, I take the CSR to another office, then log her into a different computer since none, including my mother seem to get that they CAN work at a different computer then myself and one of the managers work on what needs to be done. It's bad, I've finally gotten one of the CSRs to understand she can check her yahoo email account from her work computer. It only took me two bloody years! I need a drink just thinking about this. So far only one manager, and the company owner know how to do these things without help, the 14 other people in the office have issues with it all. I'm not a tech either, I'm not even that good with computers, but some how I find myself doing these things and setting up new computers and laptops when they come in.
      I'm the 5th horsemen of the apocalypse. Bringer of giggly bouncy doom, they don't talk about me much.

      Comment


      • #4
        Here's how these conversations go at my work:

        EW - I want the last password I used!
        ME - Can't do that. Rules are can't be the last 6 you've used.
        EW - Well that's b***s***. You're an admin. Change it back!
        ME - You want to know what happens if I were to ignore rules and change it?
        EW - What?
        ME - The server detects the manual password change and it being one of the last 6 passwords used. It fires an alert email to IT Security. IT Security contacts your boss and mine and we both get fired for breaking company IT Security policy.
        EW - Oh. In that case, I'll go change my password now.
        Fixing problems... one broken customer at a time.

        Comment


        • #5
          I remember in college, IIRC you had to change you password every 90 days and at the beginning of the fall semester. One year I was a Intern in one of the computer labs it would never fail that someone would come to me saying their password wasn't working and they go a weird error.

          I would make them try it again, see that their password expired and tell them to reset it. I learned very quickly to keep a bunch of printouts, directly form the IT dept. website where they listed the password policies in the office to give to people who asked.

          Comment


          • #6
            I hate setting passwords for everything because it's all going paperless now.

            I understand a good password looks like a cat rolled around on my keyboard for six hours. But if I want to make my password "hooters," that's my shitty decision and you should let me roll with it.

            Thanks to The Oatmeal for obvious inspiration.
            Knowledge is power. Power corrupts. Study hard. Be evil.

            "I never said I wasn't a horrible person."--Me, almost daily

            Comment


            • #7
              ^


              I hate trying to make my password 12 characters 'cause I can't do it and remember it at the same time.

              But FFS, if that's the requirement, that's the requirement. Deal with it.

              At my uni, we had to change it every semester at least.
              "And so all the night-tide, I lie down by the side of my darling, my darling, my life and my bride!"
              "Hallo elskan min/Trui ekki hvad timinn lidur"
              Amayis is my wifey

              Comment


              • #8
                Quoth Irving Patrick Freleigh View Post
                But if I want to make my password "hooters," that's my shitty decision and you should let me roll with it.
                Keep in mind that the password protects corporate assets, not your personal ones. But yes, some password policies are so complex that they pretty much require people to have a sticky note with the password stuck to their monitor.
                There's no such thing as a stupid question... just stupid people.

                Comment


                • #9
                  Quoth It's me View Post
                  Keep in mind that the password protects corporate assets, not your personal ones. But yes, some password policies are so complex that they pretty much require people to have a sticky note with the password stuck to their monitor.
                  Yeah, if you try to leave a sticky note with your password on your monitor here, you can get fired. They don't mess around with information security here.
                  PWNADE(TM) - Serve up a glass today! | PWNZER - An act of pwnage so awesome, it's like the victim got hit by a tank.

                  There are only Four Horsemen of the Apocalypse because I choose to walk!

                  Comment


                  • #10
                    Quoth Blade_Raver View Post
                    Here's how these conversations go at my work:

                    EW - I want the last password I used!
                    ME - Can't do that. Rules are can't be the last 6 you've used.
                    EW - Well that's b***s***. You're an admin. Change it back!
                    ME - You want to know what happens if I were to ignore rules and change it?
                    EW - What?
                    ME - The server detects the manual password change and it being one of the last 6 passwords used. It fires an alert email to IT Security. IT Security contacts your boss and mine and we both get fired for breaking company IT Security policy.
                    EW - Oh. In that case, I'll go change my password now.
                    Easy workaround:
                    Change password to temp1
                    Change password to temp2
                    Change password to temp3
                    Change password to temp4
                    Change password to temp5
                    Change password to temp6
                    Change password to last password I used

                    The password they want isn't among the last 6 they used, so the system thinks it's OK.

                    Quoth Jay 2K Winger View Post
                    Yeah, if you try to leave a sticky note with your password on your monitor here, you can get fired. They don't mess around with information security here.
                    How about having your password on a permanent label (applied by the manufacturer) on the underside of your keyboard or mouse? If the model number/serial number is complex enough, it could easily fit the pattern of a "legitimate" password under company policy.
                    Any fool can piss on the floor. It takes a talented SC to shit on the ceiling.

                    Comment


                    • #11
                      Quoth wolfie View Post
                      How about having your password on a permanent label (applied by the manufacturer) on the underside of your keyboard or mouse? If the model number/serial number is complex enough, it could easily fit the pattern of a "legitimate" password under company policy.
                      Its actually quite clever to use the serial number of, say, your keyboard for your password. Its already printed on the underside of the keyboard, its a unique number, its a very long number, and its also hidden in plain sight.

                      Comment


                      • #12
                        Quoth wolfie View Post
                        Easy workaround:
                        Change password to temp1
                        Change password to temp2
                        Change password to temp3
                        Change password to temp4
                        Change password to temp5
                        Change password to temp6
                        Change password to last password I used

                        The password they want isn't among the last 6 they used, so the system thinks it's OK.
                        Not so simple. Other restrictions are usually "unable to be found in the dictionary" "letters in both upper and lower case, numbers, and symbols must be required" and "cannot resemble any prior passwords of the previous stored ones". That last one foils your idea.
                        I AM the evil bastard!
                        A+ Certified IT Technician

                        Comment


                        • #13
                          Quoth wolfie View Post
                          How about having your password on a permanent label (applied by the manufacturer) on the underside of your keyboard or mouse? If the model number/serial number is complex enough, it could easily fit the pattern of a "legitimate" password under company policy.
                          Also something that can get you fired.

                          I can't say who the client is (both per CS.com rules and the contract), but if I could, you wouldn't be surprised.

                          Again, they don't mess around with informational security.
                          PWNADE(TM) - Serve up a glass today! | PWNZER - An act of pwnage so awesome, it's like the victim got hit by a tank.

                          There are only Four Horsemen of the Apocalypse because I choose to walk!

                          Comment


                          • #14
                            It also depends on what kind of access you're protecting.

                            In cases where the computer/account being protected has access to very critical information then you definitely want a strong password.

                            On the other hand, its far too common for extremely strong passwords be changed on a monthly basis that protect absolutely nothing of value

                            Comment


                            • #15
                              Wolfie,

                              I believe the company has AD security set up to where they can't reset their own password more than 1 time every 24 hours.

                              If the person called in to the helpdesk 7 times to reset password there's ticket history + it will trigger an alert because of more than 3-4 passwords changed within 24 hours.

                              IT Security will get the alert and kinda put 2 and 2 together as to what the user is doing.

                              The only difference is that the end user would get disciplined and not the helpdesk employees who took the calls.
                              Fixing problems... one broken customer at a time.

                              Comment

                              Working...
                              X