IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Re: Let's say I'm a bad guy
If I'm the bad guy, I love policies like this. By making passwords harder to remember, people are pretty much forced to write their passwords down. All I need to do is get access to their offices, where I can look at the post-its on their monitors, look under their keyboards, or open their desk drawers.
New BINGO!
If you have a strong password initially and you have a lockout after a few attempts, there is no point in constantly changing unrememberable passwords. It just makes things worse.
New Yep, during security audit at gov agency I worked at
the investigators explained they came up with over 50 valid logins without ever turning on a computer just by walking around the office after hours.



"Whenever you find you are on the side of the majority, it is time to pause and reflect"   --Mark Twain

"The significant problems we face cannot be solved at the same level of thinking we were at when we created them."   --Albert Einstein

"This is still a dangerous world. It's a world of madmen and uncertainty and potential mental losses."   --George W. Bush
New What's the alternative?
I hear the chorus, "this is stupid. it's to hard to remember. bad guys might take advantage of it." What alternative do you propose? What do you think will be simple enough that users won't write down passwords on post-it's? In my experience, there is no such animal. They will do that even if you only require a single character.
-----------------------------------------
"In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican."
-- H. L. Mencken

Support our troops, Impeach Bush.
D. D. Richards
New Yeabut requiring frequent changes makes it worse.
A reasonably complex password is required, but realistically it's probably necessary - in addition - to have an audit policy in place. Is there suspicious usage of accounts? Are account being used in new and unexplained ways?

I don't know how you'd do that in an automated fashion that would be smart enough to catch unusual usage. I expect that few companies would be willing to dedicate a person or more to watching account activity.

Maybe an additional statement like: "All activity on the corporate computers may be logged. You are responsible for the security of your account. Treat it like your Social Security number..." would help people to take passwords seriously.

IMO, having a reasonably complex password that people can remember is much more important than changing them every 30 days. If they're complex and frequently change, then people will make cheat sheets. If things are audited, then I think yearly password changes are more than sufficient (and/or requiring changes when people leave).

Cards or fingerprint readers is probably much more secure than complex, frequently changed passwords, given human nature.

My $0.02.

Cheers,
Scott.
New As I said before
I would prefer complex passwords with a lengthy expiration. I am constrained by corporate policy in this matter and can only relay to my users the requirements.
-----------------------------------------
"In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican."
-- H. L. Mencken

Support our troops, Impeach Bush.
D. D. Richards
New Understood. :-)
New single signon with a 90 day passwd expiration
8 char minimum must contain alphanumeric and one special character. Pine4est! Me1ikebeer! as examples.
thanx,
bill
All tribal myths are true, for a given value of "true" Terry Pratchett
[link|http://boxleys.blogspot.com/|http://boxleys.blogspot.com/]

Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 48 years. meep
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
New Single signon is a happy dream
I would love it if it were so but I have no expectation of it happening anytime in the near future.
-----------------------------------------
"In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican."
-- H. L. Mencken

Support our troops, Impeach Bush.
D. D. Richards
New Problem with SSO
You now have to educate users to lock computer when the walk away. Otherwise, anyone will have their access if the happen to catch workstation unattended. I will not use SSO, I'd rather log in to each application/system myself.

Here SSO is being actively pushed/encouraged. All new apps MUST be SSO compatible.
A good friend will come and bail you out of jail ... but, a true friend will be sitting next to you saying, "Damn...that was fun!"
New Pretty much everyone will write it down anyways
Computer-knowledgeable people excluded (somewhat).
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
     Password policy letter - (Silverlock) - (29)
         Disagree about the expiration - (hnick) - (22)
             "feel free to adapt" - (Silverlock) - (21)
                 Re: "feel free to adapt" - (Yendor) - (19)
                     Are you sure about that? - (Silverlock) - (18)
                         Let's say I'm a bad guy - (Yendor) - (17)
                             On the other hand - (JayMehaffey)
                             Account locked after 5 bad passwords - (Silverlock)
                             You are an *incompetent* bad guy - (ben_tilly) - (3)
                                 Granted... - (Yendor) - (2)
                                     Disagree - (Silverlock)
                                     But not enough to be even remotely useful -NT - (ben_tilly)
                             Re: Let's say I'm a bad guy - (dws) - (10)
                                 BINGO! - (hnick)
                                 Yep, during security audit at gov agency I worked at - (tuberculosis)
                                 What's the alternative? - (Silverlock) - (6)
                                     Yeabut requiring frequent changes makes it worse. - (Another Scott) - (2)
                                         As I said before - (Silverlock) - (1)
                                             Understood. :-) -NT - (Another Scott)
                                     single signon with a 90 day passwd expiration - (boxley) - (2)
                                         Single signon is a happy dream - (Silverlock) - (1)
                                             Problem with SSO - (jbrabeck)
                                 Pretty much everyone will write it down anyways - (admin)
                 Make the expiration longer than that. - (ben_tilly)
         I, like it! Me being the password Nazi at work - (folkert)
         And here - (jbrabeck)
         Make 'em use Unicode. - (Another Scott) - (1)
             We've been looking at several alternatives - (Silverlock)
         Apart from the fact that passwords suck - (pwhysall)
         Bit of a late reply... - (static)

Relax... you're quite safe here.
88 ms