Password Requirements are Non-Negotiable

[Hyndis]

Quote:

Quoth wolfie

How about having your password on a permanent label (applied by the manufacturer) on the underside of your keyboard or mouse? If the model number/serial number is complex enough, it could easily fit the pattern of a "legitimate" password under company policy.

Its actually quite clever to use the serial number of, say, your keyboard for your password. Its already printed on the underside of the keyboard, its a unique number, its a very long number, and its also hidden in plain sight.

[lordlundar]

Quote:

Quoth wolfie

Easy workaround:
Change password to temp1
Change password to temp2
Change password to temp3
Change password to temp4
Change password to temp5
Change password to temp6
Change password to last password I used

The password they want isn't among the last 6 they used, so the system thinks it's OK.

Not so simple. Other restrictions are usually "unable to be found in the dictionary" "letters in both upper and lower case, numbers, and symbols must be required" and "cannot resemble any prior passwords of the previous stored ones". That last one foils your idea.

[Jay 2K Winger]

Quote:

Quoth wolfie

How about having your password on a permanent label (applied by the manufacturer) on the underside of your keyboard or mouse? If the model number/serial number is complex enough, it could easily fit the pattern of a "legitimate" password under company policy.

Also something that can get you fired.

I can't say who the client is (both per CS.com rules and the contract), but if I could, you wouldn't be surprised.

Again, they don't mess around with informational security.

[Hyndis]

It also depends on what kind of access you're protecting.

In cases where the computer/account being protected has access to very critical information then you definitely want a strong password.

On the other hand, its far too common for extremely strong passwords be changed on a monthly basis that protect absolutely nothing of value

[Blade_Raver]

Wolfie,

I believe the company has AD security set up to where they can't reset their own password more than 1 time every 24 hours.

If the person called in to the helpdesk 7 times to reset password there's ticket history + it will trigger an alert because of more than 3-4 passwords changed within 24 hours.

IT Security will get the alert and kinda put 2 and 2 together as to what the user is doing.

The only difference is that the end user would get disciplined and not the helpdesk employees who took the calls.

[PepperElf]

In the Navy we had interesting rules for passwords. I don't remember the actual minimum character length but we had to have a mix of capital & lower case letters, numbers, and symbols in the password.

On my second ship we also had special software we used to try cracking passwords. If the software cracked your password you had to change it. The system won't let you reuse old password but... if the admin does it for you then that's fine. It's not recommended but you won't get punished for it by the command.

Although I have seen a couple of Navy systems that also check to make sure you're not just tacking on an extra character to your old password. So if you used say password1 the system won't let you use password11 and might not even let you use password2 either.


But the real problem I have these days is that... many systems don't like my classic military passwords. Not because they're recycled passwords (the system can't check my navy passwords after all) but because... they're too complex.

[Shalom]

Quote:

Quoth Jay 2K Winger

Also something that can get you fired.

So enter it right to left. Or start X digits from the left, go to the end and wrap around. It won't match any number on file at $EMPLOYER that way. (And if it does, then I salute your password security.)

Problem with overly complex passwords is, if they're impossible to remember, they're going to get written down. Maybe not on the classic sticky-note-on-the-monitor, but somewhere on the person of the employee; perhaps in his wallet or stored in his smartphone, whatever. Then what happens if the employee is mugged for his access? (If your employer is as paranoid as all that, the chances are that the data they're protecting is worth criminals going after employees for it. Of course in that scenario, if they're gonna mug someone anyway, they could use various methods to extract it from him even if it's not written down.)

[dalesys]

Quote:

Quoth Shalom

Of course in that scenario, if they're gonna mug someone anyway, they could use various methods to extract it from him even if it's not written down.)

Years ago another contractor installed retina scan readers for access control at a local prison...

My first thought was " You'd better prove to the residents that a freshly scooped eye won't work! "

[Jay 2K Winger]

Quote:

Quoth Shalom

Problem with overly complex passwords is, if they're impossible to remember, they're going to get written down.

Not mine. I have a system for remembering my passwords. And yes, I'll use some 1337-tification to mix in some numbers as well.

But good luck trying to run through a dictionary to get mine. I use words from a made-up language from a story I once started writing, and even borrowed some names from it as well. (And those names are hardly normal in the slightest.)

I'm a sneaky bastard.

[Geek King]

If I need a complex password, I use a block of random text (numbers, caps, and special characters included) I keep in a notebook. I then pick a four digit number as a passkey. As I use it, each digit tells me how many letters to skip in the block before putting in the the next letter as part of the code. When you have the needed number of letters, I jot the length down behind the origional four digits so now it looks like a six digit code. The block text stays at work, the six digit codes go in my wallet, and the generated code (or copies of the block text and codes numbers) goes home with me to my locked fire safe incase the text block or six digit code gets lost/destroyed.

You may need to modify this based on security allowances and situation, but it is hard as hell to work out the password from this system unless you know what the passkey stands for.

Other usefull mods to this method:
-add a decoy first number that is only used to tell you how may lines down to start in the text block
-use more digits in the passkey digits.
-Use hexidecimal in your passkey to make it look like it is the password.