IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / And you know, it's 100% right.
Post #187,543
by pwhysall
Picture of pwhysall
12/20/04 2:52:36 PM
Reply
New And you know, it's 100% right.
It's also doomed to failure in the workplace.

While you and I know all about the theory of picking good passwords, the harsh reality is that it just isn't going to happen.

It's incredibly hard to enforce and the smart thing to do is go down the biometric route with a fingerprint reader. However, if you're determined to enforce a password regime that will result in POAPIs [0] all over the place, a program like [link|http://www.adel.nursat.kz/apg/|apg] can help.
[0] Password On A Post-It. You saw it here first.

Peter
[link|http://www.ubuntulinux.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
Post #187,546
by Steve Lowe
12/20/04 3:01:13 PM
Reply
New No argument
However, it sounds as is if the password policy came from on high at Darrel's firm, as it does at my place of employ. And I've seen many POAPIs in the building.
--
Steve
Post #187,548
by pwhysall
Picture of pwhysall
12/20/04 3:18:24 PM
Reply
New Teehee
I think he'll just have to settle for changing passwords for people an awful lot, then :-)

Peter
[link|http://www.ubuntulinux.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
Post #187,599
by Silverlock
12/20/04 8:01:39 PM
Reply
New That's another weakness
What criteria are to be used when verifying the person calling you on the phone is who they say they are? A company (not mine, nothing to see here, move along) I know of has several thousand users. A few dozens of different groups are responsible for different business unit's admin work. All users will soon be required to use complex passwords with 30 day expirations (30 days? Sheesh.) but we, I mean they, don't have any methods in place to verify a user's ID before doing a password reset. Recognizing voices is not a valid substitute.
-----------------------------------------
How do you convince a Washington Journalist that you're not slapping him in the face?

Tell him you're not.
Post #187,611
by static
12/20/04 9:24:26 PM
Reply
New 30 days is not onerous.
When I entered my first place of work doing IT, we had 30 day expiries on *all* passwords. It just wasn't argued about. I got so used to 30 day expiries that seeing longer expiries in other places made me feel funny.

Unfortunately, there is another problem with 30 days: people put months in their passwords. A password history of 13 doesn't work because then they put the year in, too. Perhaps it needs to be 25 days - this will put the monthers out of step within a few months....

Wade.

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
Post #187,613
by drewk
Picture of drewk
12/20/04 9:29:21 PM
Reply
New No it won't
mydogsname1
mydogsname1a
mydogsname2
...

Yes, I've seen it.

We tried to turn on a Novell option to disallow re-using a substantially similar password within a certain time period. "Substantially similar" and "certain time" being tunable. No combination worth using was ever deemed acceptable by those paying the salaries of the IT department.
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
Post #187,616
by static
12/20/04 9:42:16 PM
Reply
New We had a password incident in a client of a former employer.
It was a school. All staff and all users had logins into the Intranet system they licensed from us. We had length and expiry checking on the password for a long time.

And then a sizable number of the students discovered a lot of the staff were using their first names as their password.

So at their request, we ran a password cracker over their passwords. There were a lot of *really bad* passwords. A lot of staff got into trouble, particularly those who'd been compromised because they picked a poor password.

We added some stronger password checking after that, mostly the standard checklist items - mixed case, numbers and letters - but it also checked a lot of known information about the user (names, aliases, relatives, phone numbers, etc etc - because the app had it anyway), and it also encouraged long passwords. My boss tested it with a 70 character password at one demonstration. It wasn't foolproof, but it got rid of almost all of the "easy" passwords. We also made sure we pointed out that human stupidity was more to blame.

Wade.

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
Post #187,620
by drewk
Picture of drewk
12/20/04 9:57:42 PM
Reply
New "... sizable number of the students ..." == "all who cared"
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
Post #187,622
by static
12/20/04 10:10:33 PM
Reply
New And your point was...?
You seem determined to play the "it can't work" hand and I'm damned if I can figure out why.

Security is a Risk Analysis game - it always has been. To do it correctly, password policy should be subject to that. If the potential damage from using accounts with poor passwords is low and/or unlikely, then you have a low risk situation. Little need to enforce 70 character passwords. If the potential damage* is high, but only to a very small number, thus reducing the likelihood, then the risk is not really increased a great deal. And so on. Sometimes, bad passwords and poor controls is actually not a problem. Even in a corp.

Wade.

* Sometimes the damage is more ephemeral than real. People's egos, for instance.

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
Post #187,623
by drewk
Picture of drewk
12/20/04 10:15:30 PM
Reply
New Wasn't meaning to say that
I just thought it was two funny anecdotes. Mine, a place that the IT people weren't allowed to implement a reasonable password policy; yours, a place that got the password religion after a bad breakage.

All I meant by my last comment was that in a school environment if one kid knows how to crack the teachers' accounts he can make mischief. Once two kids know about it everyone knows about it in short order.
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
Post #187,624
by static
12/20/04 10:46:23 PM
Reply
New Ah -- alright then.
You're right: two funny anecdotes.

I agree about the school students: once a few discovered it, it was indeed all over the school in short order. :-) Incidentally, a similar thing also happened at another school, although there it was a direct result of a bad default password policy set by their IT guy. Over our objections. All we could do when it happened was say "We told you so".

Wade.

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
     Complex Password Primer for Users? - (SpiceWare) - (19) - Dec. 20, 2004, 02:18:37 PM EST
         My Advice - (pwhysall) - (2) - Dec. 20, 2004, 02:45:34 PM EST
             not an option - (SpiceWare) - Dec. 20, 2004, 03:43:48 PM EST
             More on phrases - (FuManChu) - Dec. 20, 2004, 03:45:02 PM EST
         Re: Complex Password Primer for Users? - (Steve Lowe) - (13) - Dec. 20, 2004, 02:48:02 PM EST
             And you know, it's 100% right. - (pwhysall) - (10) - Dec. 20, 2004, 02:52:36 PM EST
                 No argument - (Steve Lowe) - (9) - Dec. 20, 2004, 03:01:13 PM EST
                     Teehee - (pwhysall) - (8) - Dec. 20, 2004, 03:18:24 PM EST
                         That's another weakness - (Silverlock) - (7) - Dec. 20, 2004, 08:01:39 PM EST
                             30 days is not onerous. - (static) - (6) - Dec. 20, 2004, 09:24:26 PM EST
                                 No it won't - (drewk) - (5) - Dec. 20, 2004, 09:29:21 PM EST
                                     We had a password incident in a client of a former employer. - (static) - (4) - Dec. 20, 2004, 09:42:16 PM EST
                                         "... sizable number of the students ..." == "all who cared" -NT - (drewk) - (3) - Dec. 20, 2004, 09:57:42 PM EST
                                             And your point was...? - (static) - (2) - Dec. 20, 2004, 10:10:33 PM EST
                                                 Wasn't meaning to say that - (drewk) - (1) - Dec. 20, 2004, 10:15:30 PM EST
                                                     Ah -- alright then. - (static) - Dec. 20, 2004, 10:46:23 PM EST
             Bingo! - (SpiceWare) - (1) - Dec. 20, 2004, 03:45:16 PM EST
                 Also. - (static) - Dec. 20, 2004, 09:26:24 PM EST
         Got this from 'fortune' - (imric) - Dec. 22, 2004, 10:07:50 AM EST
         I've seen 3 methods - (Steven A S) - Dec. 28, 2004, 04:05:08 PM EST

Ahead two thirds!
74 ms