Announcement

Collapse
No announcement yet.

Crazy password security

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Crazy password security

    So I finally got my login to the State's "Health Commerce System" today. (Turns out that what I wanted to do, viz. look up controlled substance prescribing history, can only be done by those with prescriptive authority, i.e. doctors, RN/CNP/CNM, PA etc., but that's another story.) They issue me a temporary password, which I have to change on first login. Then I get the following screen:

    Change My Password

    Enter your new password twice, then click Change Password

    Your New Password:
    Must be at least 8 characters long.
    Must have at least 5 letters.
    Must not contain your first or last name.
    Must not match any of your 50 previous passwords.
    Must have either 2 numbers, 2 special characters or 1 number and 1 special character.
    Please Note: The following special characters are not allowed: * ' " \ # @ ,
    "Must not match the last 50 passwords"?! And just how am I supposed to remember the last 50 passwords I've done for anything? Especially with that requirement for 2 special characters? This is just a recipe for sticky-notes on monitors with the password written on them, seems to me.

    But it gets worse. The next screen might be expected to ask for a verification question. Well, it does, but in fact it asks . . .

    27

    of them.

    Secret Question: Please answer at least 6 of the provided questions.
    Help * Please answer at least 6 of the 27 provided questions.
    Question Answer
    What is the name of your first pet?
    What is the name of your first school?
    What is the last name of your all-time favorite teacher?
    What is the last name of your first school principal?
    What is the last name of your favorite author when you were in school?
    What is the first name of your childhood best friend?
    What is the model of your first car?
    What is the color of your first car?
    What is the last name of your childhood pediatrician?
    What is the first name of your mother's father?
    What is the first name of your mother's mother?
    What is your father's middle name?
    What is the street that you lived on as a child?
    What is the city where your grandparents live or lived?
    What is your favorite restaurant?
    What is your favorite vacation place?
    What is your favorite band?
    What is your favorite movie?
    What is your favorite TV show?
    What is your favorite drink?
    What is your favorite food?
    What is your favorite place?
    What is your favorite pastime or hobby?
    What is the title of your favorite book?
    What is the last name of your favorite actor?
    What is the last name of your favorite athlete?
    What is your favorite song?
    WTF is this, a computer access password or a freaking psychiatric examination?

    Never mind that the answers to some of those questions can change over time, I don't think I've ever had a favorite anything. Athlete? I don't care enough about any one sport to have a favorite athlete. Favorite songs change by the day, given that if I hear any song often enough it will soon become an unfavorite. Favorite TV show? I don't have a freaking TV. And if I put down what my favorite show was back when I had one, is it "Doctor Who" or "Dr Who"? And how do I remember which permutation I put down? First Car? Does that mean the first one I had semi-exclusive rights to, the first one I owned, the first one I had registered in my own name, the first one I paid for, or the first one I got new? Those are five different vehicles (in order: a 1979 Pontiac Grand LeMans, a 1976 Ford LTD, a 1979 Cadillac Sedan DeVille with 195K miles, a 1988 Chevy Blazer S10, and a 2011 Subaru Forester...) Last name of my first school principal? Who the hell remembers after 40 years? All-time favorite teacher? I hated most of them impartially. At least my grandparents' names are objective data that won't change. I was able to get enough of these stupid questions answered to satisfy them, and moved on.

    Then after all that, the "Lost Password Option" has to be turned on, if you think you'll need it. Which you will, sooner or later.

    Which makes no sense. If you opt not to use the lost password recovery, what in hell do you need all that catechism above for?

    Ah well. Our old pharmacy law professor, Dr Robert Cooper (RIP), once said, "If it looks really stupid, it's probably New York State." He wasn't wrong about that.
    Tags: None
  • #2
    It's health-related stuff, so they probably figure they're covering their asses, because HIPAA and all that.
    Knowledge is power. Power corrupts. Study hard. Be evil.

    "I never said I wasn't a horrible person."--Me, almost daily

    Comment

    • #3
      "If it looks really stupid, it's probably New York State."
      Truer words were never spoken.
      When you start at zero, everything's progress.

      Comment

      • #4
        I have an encrypted password db that I keep passwords in. I make up funny/nonsense answers to questions like that and keep them in the notes. Favorite pet:Cthulu, First car:Tardis. It means that if I ever lose access to the db, I'm screwed, but it keeps from having to try to figure out exact spellings and junk later.
        Life: Reality TV for deities. - dalesys

        Comment

        • #5
          My bank does a similar trick with the 'last X' passwords; somehow it detects any character strings used in a previous password and rejects it

          I also have fun with security-question answers. I figure that the real answers can be ferreted out by anyone with enough time, so I'll munge them to be technically correct, but far enough off that the 'usual' answers anyone else would find doesn't work (combine pets' names, favorite movie in a specific genre, etc).
          "I am quite confident that I do exist."
          "Excuse me, I'm making perfect sense. You're just not keeping up." The Doctor

          Comment

          • #6
            And most people already know how to defeat all of those restrictions.

            passwords: changing only the last/first character of the password
            questions: using the same "answer" for the questions (just add a 2, 3, 4) to the end


            Now some more advanced systems will check the password one for that trick, but few of them check the "personal questions" one.


            Also if you DO use real answers for the "personal question" list, I recommend NOT answering those cute emails/threads about "what is your favorite color" etc. cos that can be used/abused to hack your shit.


            Ah well. Our old pharmacy law professor, Dr Robert Cooper (RIP), once said, "If it looks really stupid, it's probably New York State." He wasn't wrong about that.
            Former resident refugee from NY.
            Last edited by PepperElf; 01-18-2013, 02:28 PM.

            Comment

            • #7
              The bank system that checks for character strings sees any two or more consecutively (regardless of position) as a 'string', so I have to get a bit more creative. Doable, but annoying.
              Last edited by Dreamstalker; 01-19-2013, 12:37 AM.
              "I am quite confident that I do exist."
              "Excuse me, I'm making perfect sense. You're just not keeping up." The Doctor

              Comment

              • #8
                Was anyone else reminded of a certain Dilbert strip?

                Comment

                • #9
                  Quoth Shalom View Post
                  And if I put down what my favorite show was back when I had one, is it "Doctor Who" or "Dr Who"? And how do I remember which permutation I put down?
                  That kind of thing got me locked out of an account awhile back. I set the thing up and then didn't use it for awhile, and I couldn't remember what password I used. I tried what I thought it might be, no good. So I clicked on the "forgot password" link, which brought up my questions. Unfortunately, I wasn't sure how I had orginally answered those either. The first one it asked was my favorite movie. I have several favorites, and I wasn't sure which one I had put. Then it asked me what my first car was, which I was pretty certain of. I found out one of my answers was wrong, and the account ended up locking because of too many failed attempts. So I had to call in.

                  The lady I spoke with asked me the same questions. For the movie, I told her, "I think it was (movie name.)" For the first car question, I answered that one without any trouble -- or so I thought. I got the movie name right, but I gave the car answer as "85 (make & model name.) Apparently when I originally filled out my questions, I put it as "1985 (make & model name.) Oops...
                  Sometimes life is altered.
                  Break from the ropes your hands are tied.
                  Uneasy with confrontation.
                  Won't turn out right. Can't turn out right

                  Comment

                  • #10
                    Same thing happened to me so I had to call in. For one of the accounts, apparently I answered one of my phone security questions 'incorrectly'; turned out later that the answer I had originally put down (technically correct but not the obvious choice) had been 'fixed' in their system to be the proper obvious answer. I never found out why the change was made and why it was never run by me first.
                    "I am quite confident that I do exist."
                    "Excuse me, I'm making perfect sense. You're just not keeping up." The Doctor

                    Comment

                    • #11
                      The problem with passwords of that level is that all it does is encourage people to write it down on a post-it note. If the password cannot be remembered by a human brain then it gets written down, and so it becomes less secure than if you used a short, simple password.

                      Also I'm not sure of any reasonably complex password being a point of failure. By reasonably complex, I mean fancier than 12345 or password. These days its either social engineering that gets you through a password barrier, or a stupid server admin to who keeps all of the passwords stored in plain text on some unprotected computer.

                      There's no point in having the most complicated key in the world to a lock if the lock is attached to a screen door.

                      Any security system worth paying for has a lockout if more than X number of attempts are made. If you're locked out after 3 failures or 5 failures, or you can only make 3 attempts to log in per hour, the password cannot be brute forced.

                      Password reset questions are terrible as well. My favorite food? Favorite movie? It depends on when you ask me. Where I was born? That is public information, so it is not a secure test.

                      Allow me to type in my own challenge. Its trivial to have a challenge be utterly meaningless except to me. And the answer is also nonsensical, except in the context of only me. That way the challenge question and answer stay constant, and it cannot be looked up.

                      Comment

                      • #12
                        Quoth Hyndis View Post
                        The problem with passwords of that level is that all it does is encourage people to write it down on a post-it note. If the password cannot be remembered by a human brain then it gets written down, and so it becomes less secure than if you used a short, simple password.

                        Also I'm not sure of any reasonably complex password being a point of failure. By reasonably complex, I mean fancier than 12345 or password. These days its either social engineering that gets you through a password barrier, or a stupid server admin to who keeps all of the passwords stored in plain text on some unprotected computer.

                        There's no point in having the most complicated key in the world to a lock if the lock is attached to a screen door.

                        Any security system worth paying for has a lockout if more than X number of attempts are made. If you're locked out after 3 failures or 5 failures, or you can only make 3 attempts to log in per hour, the password cannot be brute forced.

                        Password reset questions are terrible as well. My favorite food? Favorite movie? It depends on when you ask me. Where I was born? That is public information, so it is not a secure test.

                        Allow me to type in my own challenge. Its trivial to have a challenge be utterly meaningless except to me. And the answer is also nonsensical, except in the context of only me. That way the challenge question and answer stay constant, and it cannot be looked up.
                        Honestly, I think the most important thing right now is to use different passwords on different systems. You can be SURE that at least one web site/cloud service/bank/whatever that you use will have a password compromise in the next N years (where N is a small number).

                        Even if it's not a plain-text compromise, it doesn't take long for the bad guys to crack large numbers of encrypted passwords. If you keep the passwords different for every site/bank/whatever, then they ONLY get access to the place they stole the passwords from (which is likely a low-security outfit like a web site forum or something). As long as you have different passwords everywhere, the damage they can do is limited.

                        As to writing them down: At this point, unless you have a comparatively small number of accounts and things, this pretty much has to happen. I use an encrypted DB for the purpose, but I've got accounts on more sites than I can shake a stick at, and I can't possibly keep them all straight without writing stuff down.
                        Life: Reality TV for deities. - dalesys

                        Comment

                        • #13
                          There's a reason whenever I change my Battle.net password I keep it written down for a couple of days. I'm quite certain I would lock out my account because I can't even remeber the security questions, let alone the answers!
                          I AM the evil bastard!
                          A+ Certified IT Technician

                          Comment

                          • #14
                            Quoth Dreamstalker View Post
                            I also have fun with security-question answers. I figure that the real answers can be ferreted out by anyone with enough time, so I'll munge them to be technically correct, but far enough off that the 'usual' answers anyone else would find doesn't work (combine pets' names, favorite movie in a specific genre, etc).
                            The registrar I hold my domain through changed their security question setup a few years ago. Instead of a single free-form (user writes the question and the answer) question, you now had to pick 3 from a list of predefined questions. What probably happened was that too many people got "cute" and forgot what answer went with the question - but by having predefined questions, it's less secure (since the info could be obtained by "data mining"). My free-form that I could no longer use wouldn't make sense to anyone but myself - you'd need to have worked at a previous employer to realize that the question was actually referring to a brand name for a piece of equipment.
                            Any fool can piss on the floor. It takes a talented SC to shit on the ceiling.

                            Comment

                            • #15
                              I managed to get a neat pattern happening at work. I set up the following as my first password:

                              Abc123,./

                              This fulfils almost every possible category (capitals, numbers, symbols, etc) that a password needs. Once that password expires, I move to the next group:

                              Def123,./
                              Ghi123,./

                              etc

                              You NEVER get a repeat since there are 26 letters in the alphabet, and it's a neat pattern for the fingers on the keyboard as well. I highly recommend it if anyone is looking for a password sequence to use.
                              "Bring me knitting!" (The Doctor - not the one you were expecting)

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X