IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / No it won't
Post #187,613
by drewk
Picture of drewk
12/20/04 9:29:21 PM
Reply
New No it won't
mydogsname1
mydogsname1a
mydogsname2
...

Yes, I've seen it.

We tried to turn on a Novell option to disallow re-using a substantially similar password within a certain time period. "Substantially similar" and "certain time" being tunable. No combination worth using was ever deemed acceptable by those paying the salaries of the IT department.
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
Post #187,616
by static
12/20/04 9:42:16 PM
Reply
New We had a password incident in a client of a former employer.
It was a school. All staff and all users had logins into the Intranet system they licensed from us. We had length and expiry checking on the password for a long time.

And then a sizable number of the students discovered a lot of the staff were using their first names as their password.

So at their request, we ran a password cracker over their passwords. There were a lot of *really bad* passwords. A lot of staff got into trouble, particularly those who'd been compromised because they picked a poor password.

We added some stronger password checking after that, mostly the standard checklist items - mixed case, numbers and letters - but it also checked a lot of known information about the user (names, aliases, relatives, phone numbers, etc etc - because the app had it anyway), and it also encouraged long passwords. My boss tested it with a 70 character password at one demonstration. It wasn't foolproof, but it got rid of almost all of the "easy" passwords. We also made sure we pointed out that human stupidity was more to blame.

Wade.

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
Post #187,620
by drewk
Picture of drewk
12/20/04 9:57:42 PM
Reply
New "... sizable number of the students ..." == "all who cared"
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
Post #187,622
by static
12/20/04 10:10:33 PM
Reply
New And your point was...?
You seem determined to play the "it can't work" hand and I'm damned if I can figure out why.

Security is a Risk Analysis game - it always has been. To do it correctly, password policy should be subject to that. If the potential damage from using accounts with poor passwords is low and/or unlikely, then you have a low risk situation. Little need to enforce 70 character passwords. If the potential damage* is high, but only to a very small number, thus reducing the likelihood, then the risk is not really increased a great deal. And so on. Sometimes, bad passwords and poor controls is actually not a problem. Even in a corp.

Wade.

* Sometimes the damage is more ephemeral than real. People's egos, for instance.

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
Post #187,623
by drewk
Picture of drewk
12/20/04 10:15:30 PM
Reply
New Wasn't meaning to say that
I just thought it was two funny anecdotes. Mine, a place that the IT people weren't allowed to implement a reasonable password policy; yours, a place that got the password religion after a bad breakage.

All I meant by my last comment was that in a school environment if one kid knows how to crack the teachers' accounts he can make mischief. Once two kids know about it everyone knows about it in short order.
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
Post #187,624
by static
12/20/04 10:46:23 PM
Reply
New Ah -- alright then.
You're right: two funny anecdotes.

I agree about the school students: once a few discovered it, it was indeed all over the school in short order. :-) Incidentally, a similar thing also happened at another school, although there it was a direct result of a bad default password policy set by their IT guy. Over our objections. All we could do when it happened was say "We told you so".

Wade.

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
     Complex Password Primer for Users? - (SpiceWare) - (19) - Dec. 20, 2004, 02:18:37 PM EST
         My Advice - (pwhysall) - (2) - Dec. 20, 2004, 02:45:34 PM EST
             not an option - (SpiceWare) - Dec. 20, 2004, 03:43:48 PM EST
             More on phrases - (FuManChu) - Dec. 20, 2004, 03:45:02 PM EST
         Re: Complex Password Primer for Users? - (Steve Lowe) - (13) - Dec. 20, 2004, 02:48:02 PM EST
             And you know, it's 100% right. - (pwhysall) - (10) - Dec. 20, 2004, 02:52:36 PM EST
                 No argument - (Steve Lowe) - (9) - Dec. 20, 2004, 03:01:13 PM EST
                     Teehee - (pwhysall) - (8) - Dec. 20, 2004, 03:18:24 PM EST
                         That's another weakness - (Silverlock) - (7) - Dec. 20, 2004, 08:01:39 PM EST
                             30 days is not onerous. - (static) - (6) - Dec. 20, 2004, 09:24:26 PM EST
                                 No it won't - (drewk) - (5) - Dec. 20, 2004, 09:29:21 PM EST
                                     We had a password incident in a client of a former employer. - (static) - (4) - Dec. 20, 2004, 09:42:16 PM EST
                                         "... sizable number of the students ..." == "all who cared" -NT - (drewk) - (3) - Dec. 20, 2004, 09:57:42 PM EST
                                             And your point was...? - (static) - (2) - Dec. 20, 2004, 10:10:33 PM EST
                                                 Wasn't meaning to say that - (drewk) - (1) - Dec. 20, 2004, 10:15:30 PM EST
                                                     Ah -- alright then. - (static) - Dec. 20, 2004, 10:46:23 PM EST
             Bingo! - (SpiceWare) - (1) - Dec. 20, 2004, 03:45:16 PM EST
                 Also. - (static) - Dec. 20, 2004, 09:26:24 PM EST
         Got this from 'fortune' - (imric) - Dec. 22, 2004, 10:07:50 AM EST
         I've seen 3 methods - (Steven A S) - Dec. 28, 2004, 04:05:08 PM EST

Houston, we have a problem.
81 ms