Passwords...AAAARRRGGGHHH!!!!

[farmkid]

So I started a new job at a university about 6 months ago. I set up my email account, etc. and everything was just fine. Today, however, I get an automated email telling me that my password hasn't been changed in 6 months, so I need to change it in the next week or it will be disabled. Apparently it needs to be changed every 6 months. And, the passwords must conform to certain rules:

Minimum of 8 characters.
Maximum of 16 characters.
Start with an alpha character (a-z or A-Z).
Use at least 3 non-alpha characters (numbers or symbols).
Numbers cannot be repeating (222).
Numbers cannot be a sequence (456).
Numbers cannot be a sequence (001 - 009).
Cannot contain any user account name.
Cannot contain common words and names that may used by hackers.
Cannot be one of your last 4 passwords on the system.

So now I have to make up another password that conforms to all those rules and then remember it. Repeat every six months.

This kind of thing pisses me off. I realize the IT people are just trying to keep everyone's email secure, but why? No one has any reason to hack into my email, and even if they did, there's nothing there of any value to anyone else. This isn't the NSA. Why the extreme levels of security?

I remember reading an article some time ago written by some computer security guy who suggested that these kinds of things actually decrease computer security. Requiring passwords to be so arcane and making people change them often means that people will begin to write them down because they just can't remember them.

Please people, can we please just lower the security for things like work email accounts so that users can actually, you know, use them?

 

[Robert Maxwell]

They're probably trying to be SAS70 compliant or something. I've had to do the same thing.

What you have to do is develop a system for generating passwords that you will remember. A good one would be to take a word, misspell it, and then represent the current year and quarter. Example:

Bowgus2K9Q4

Next year you could use "2010Q1" but since you can't have repeating digits, use "2K9" for this year.

Anyway, that's what I did. Nobody ever hacked my accounts, either.

 

[Lindley]

In some ways that's even more strict than the requirements we have here on Secret-level classified networks. (12 characters minimum, one number, one lowercase, one uppercase, one symbol.)

 

[CuttingEdge100]

What's SAS70?

 

[Robert Maxwell]

What's SAS70?

It's an auditing standard. Companies that want/need to comply with Surbannes-Oxley (SOX) must use some auditing standard to document and verify their internal processes. This is required of public companies and their vendors.

It's one of many standards a company or a department within a company might use to ensure compliance.

So, it's not enough to have a process in place to secure your computer networks, you have to have it documented and audited, as well.

 

[JustAFriend]

Blonde Password

During a recent office password audit, it was found that a blonde was using the following password:


MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento

When asked why such a long password, she said she was told that it had
to be at least 8 characters long and include at least one capital.

 

[Starbreaker]

That's a little excessive. They let mine be whatever I want to make it. I've had the same one that I've had for the last 5 years.

My Facebook password I do change quite a bit because I realize it's easily phished.

 

[TheBrew]

They're probably trying to be SAS70 compliant or something. I've had to do the same thing.

What you have to do is develop a system for generating passwords that you will remember. A good one would be to take a word, misspell it, and then represent the current year and quarter. Example:

Bowgus2K9Q4

Next year you could use "2010Q1" but since you can't have repeating digits, use "2K9" for this year.

Anyway, that's what I did. Nobody ever hacked my accounts, either.

That's what I do: I just develop a personal "core" password and then adapt it for the rules. Therefore all I have to do is remember one password and then look at the rules to configure it to the system.

 

[Mr. B]

Both of the main passwords I use meet that list but having to change my password at regular intervals would be pretty annoying.

 

[Iasius]

I do tend to change my "main" password every six months or so, and they are combinations of (special) characters and numbers. However, for sites where I'm not so concerned with security, I tend to use older passwords. I also often incorporate expired PINs into those passwords. Eg a new password might be a combination of an old PIN and an old password.

Basically, if I sign up to say a random developer forum to report a bug, I'll probably use a password that's easy to remember/hack (in particularly cases, I may even use a "word" as part of a password). If it's an e-commerce site or one I use regularly, the level of sophistication increases quite a bit.

It's always a trade off between me being able to remember a password without writing it down (unsecure) and choosing a simpler password (also unsecure).

I do make an effort to keep at least three "secure" passwords ready at all times. One for passwords to email accounts and the like, one for e-commerce stuff, another for commonly visited sites. It's a bit of work, but I think it's worth it as a precaution.


PS: Yeah, try googling and hacking old accounts of mine. Good luck with that info.

 

[DonIago]

As someone who deals with that sort of thing on a regular basis, it's really not that hard once you start subtituting 1's for I's, @'s for a's, etc. And if my experiences are any indication you'll be memorizing the password faster than you would have expected.

Working for a bank is fun. I get to send out our SAS 70, though I have no idea what it really contains.

 

[Trekker4747]

For personal stuff I have a "base password" and then a combination of numbers after it that means something to me -my high school locker combo- in cases where numbers/a longer password are needed.

For the work computer I've got a seperate password, a simple dictionary word with a number after it that goes up by 1 everytime I'm requested to change it. I do this due to subordinates needing to get into the computer too so it's a simple password system we can all fairly easiliy remember and nothing greatly sensitive is on the computer anyway. The manager account is my own password system as there is ways to screw with pricing and other sensitive things thrrough the management programs.

The password restrctions in the OP is over-the-line for anything that doesn't deal with greatly sensitive info.

 

[Marc]

In some ways that's even more strict than the requirements we have here on Secret-level classified networks. (12 characters minimum, one number, one lowercase, one uppercase, one symbol.)

Maybe in your case they think that lengh with some complexity will make life easier for staff and and IT Support than shorter passwords with greater complexity.

Cos I'm sure some-one with the requisite math skils will be be able to tell how many extra combination having a minimum of 12 instead of 8 characters will make.

 

[Samurai8472]

For my linux classes I choose

P@ssw0rd

 

[Ar-Pharazon]

Here at Abbott Labs, we have to change our network & MAXIMO passwords every 90 days, so that's when I change all my online ones since I use that same P/W everywhere on the net.

Problem is, COGNOS wants a "special character" like one of these: #$%^&*, so I just add that to the same P/W as I have for the other areas.

Then I get this "password not complex enough" crap from Lotus Notes, so that one is the only non-standard one in the bunch, at least the standard L/N and not the web-based version which uses the network ID & P/W.

Now some of the apps have longer memories that others, so I can't go back to xxxxx1 after I've used all the numbers up to 9 at the end of the same word.

 

[Scout101]

Ha, you should try some of the stuff I have to do. 14 character minimum, 2 caps, 2 special, 2 numbers, every 60 days, can't use your last 60 passwords (or some big number), and a few other things I can't remember.

The military is retarded like that. Require such a complex password, but then it's so messed up that either people are constantly locked out, or they have to write it down next to (or on) the computer in order to use it. I pretty much have to get my SIPRNET password reset every time I need to log in, because I only use it about once a month, on average, so never remember it...

if it only remembers your last 4 passwords, you're golden. You just change it to 4 random things in a row, and then change it back to the one you remember on the 5th try.

 

[Ar-Pharazon]

Ours remembers at least the last 20, maybe more. Hard to recall how long I was using a particular string.

My favorite memory was when the tech support guy locked himself out of the system. Yeah, our support people are in fact as dumb as most in the outside world.

 

[Saturn0660]

Where I work it about like that.. Other then it's every 3 months. and it can NEVER be an old password.
I place I used to work for I had the same user/password for 10 years.

 

[TheBrew]

Ha, you should try some of the stuff I have to do. 14 character minimum, 2 caps, 2 special, 2 numbers, every 60 days, can't use your last 60 passwords (or some big number), and a few other things I can't remember.

The military is retarded like that. Require such a complex password, but then it's so messed up that either people are constantly locked out, or they have to write it down next to (or on) the computer in order to use it. I pretty much have to get my SIPRNET password reset every time I need to log in, because I only use it about once a month, on average, so never remember it...

if it only remembers your last 4 passwords, you're golden. You just change it to 4 random things in a row, and then change it back to the one you remember on the 5th try.

Luckily, I just use my issued security card to get into all of the systems that I need to.

 

[farmkid]

My brother told me about password strategy that I'm trying this time around. The idea is to base the password on a pattern on the keyboard, rather than the actual characters in the password. Here's an example: zaq1XSW@ Type it and you'll see what I mean. In most cases, such a pattern is simpler to remember than the actual characters.