I have a question for the IT guys...

[rudeguy]

What is you guys' fascination with passwords?

I have a password to log onto my machine at work. After I get logged into that, I have 3 different programs that I need up and I have a password for each one of those. Each program has its own "rules" for what/how many characters each password should have. Each program also has differing number of days before the password expires. All these passwords with random rules ends up meaning that I just keep a file on my desktop with a list of all my passwords. I'm sure I'm not the only person who has a "passwords" document on their desktop.

Why can't there just be one password that logs me into everything? Its not like I can get into any of the other systems without my Windows logon. There are about 10 things that run at startup that NEVER get used, why not make the 3 critical programs start up too?

Security you say? Windows locks itself if I am inactive for more than a couple minutes. The other programs also log me off if I don't use them for X amount of time. This means that generally my password file is always up because chances are I am going to use it almost as much as I use Internet Explorer.

Why not make it easier for the thousands (millions?) of us who are just trying to do our jobs?

 

[jonks]

I'm quite sure I have no idea what you are speaking of.

(oh, not "It" guys, IT guys. my bad.)

 

[rockyct]

Not to mention that when people are required to use complex passwords that must be changed, most of the time they write them down.

 

[Malak]

The expiring passwords is retarded, but the passwords for each program is to stop other users who aren't authorized. They might be able to get into your user account, but they are much less likely to get into the program after that since the password is most likely different.

Except that is all hypothetical and the password is usually the same password with 1-0 attached to the end.

 

[Schadenfroh]

You should see the requirements for DoD passwords...

 

[nageov3t]

my company's password policy is so retarded that it's made my passwords worse -- we have to rotate them so frequently that all I use is the same dictionary word with 1 capitalized letter and a number at the end (and every time it's new password day, I just add a +1 to the number).

but we're shifting towards using tokens for log-ins, which is a pain in the ass in its own special way.

 

[alkemyst]

the longer we keep you at work the more time we have with the 'missus'.

 

[Locut0s]

IT has gone overboard with passwords as a means of security. The more passwords you need to remember, the more often you need to change them, and the more rules you put in place for force people to use strong passwords, the more likely people are going to choose dump passwords. Things like password1, then next week password2, etc etc... Face it this just makes things less secure.

Here is what every company should do. Make every emplyee have 1 or 2 passwords and force them to choose really strong passwords. These passwords NEVER expire. Everything in the entire company uses one of these 2 passwords. VERY strict punishments are put in place for divulging ones password to anyone, up to and including being fired (depending on the sensitivity of the material being worked on). Now place the VAST majority of IT security budget in building a secure infrastructure. Lock everything down. Firewall everything. Limit employees access to only what they need. Record everything. If you follow these rules you don't really need a super secure password that changes every week. Unless you work for the military or something.

 

[Capt Caveman]

Single Sign-on FTMW!!!!

 

[GeekDrew]

I'm an IT guy, and while I acknowledge the need for passwords and authentication in different apps, resources, etc., I'm a huge fan of SSO. The problem is that most apps are too stupid to utilize SSO.

 

[LittleNemoNES]

its because we need to comply with different regulations and to save your butt and the bosses.

It is a necessary evil.

Before I came in, the secretary's password was 1111
The HRO department lady's password was ... hro

Just these 2 stupid passwords put everyone's social security and bank account numbers at risk!

 

[Barfo]

Ask this guy

 

[Locut0s]

its because we need to comply with different regulations and to save your butt and the bosses.

It is a necessary evil.

Before I came in, the secretary's password was 1111
The HRO department lady's password was ... hro

Just these 2 stupid passwords put everyone's social security and bank account numbers at risk!

Yeah but with rotating passwords every week you now have this problem

Week1:

Secretary: 111
HRO: hroA


Week1:

Secretary: 222
HRO: hroB

Week1:

Secretary: 333
HRO: hroC

Week1:

Secretary: 444
HRO: hroD

etc etc....

Just force them to choose 1 highly secure password or have one auto-generated for them. Like 1d56!. Then make sure there are really sever punishments for leaking passwords or writing them down.

 

[Bateluer]

Yeah but with rotating passwords every week you now have this problem

Week1:

Secretary: 111
HRO: hroA


Week1:

Secretary: 222
HRO: hroB

Week1:

Secretary: 333
HRO: hroC

Week1:

Secretary: 444
HRO: hroD

etc etc....

Just force them to choose 1 highly secure password or have one auto-generated for them. Like 1d56!. Then make sure there are really sever punishments for leaking passwords or writing them down.

Passwords should still be rotated after a given time. There's no need to rotate the password every 30 days, unless you're dealing with some super classified project, but to have the same password for years is idiotic.

 

[LittleNemoNES]

Passwords should still be rotated after a given time. There's no need to rotate the password every 30 days, unless you're dealing with some super classified project, but to have the same password for years is idiotic.

yeah

Through GPO my password never expires but it is pretty tough to figure out cos I use a mnemonic to remember it :awe:

 

[ultimatebob]

Single Sign-on FTMW!!!!

Yeah... any Microsoft shop worth it's salt should allow you to use your Active Directory ID to log onto your PC, Outlook, Network share, VPN, and Messenger accounts. Bonus points if you can use that same ID to log onto your Intranet and CRM apps as well.

UNIX shops can do similar tricks with NIS and LDAP, but it isn't nearly as easy to set up.

You're still going to need a BIOS power-on password if you want your mobile assets to be secure, but you DON'T have to have a dozen different passwords to be secure if you do it right.

 

[IEC]

http://keepass.info/download.html

 

[alkemyst]

I require a 40 character hash with no english words contained within, this must be updated every 7 days and include no characters in the same spots or in any same sequence.

 

[Evadman]

For some of the systems I access, I need both a password that is required to be changed every 7 days, and a password that rotates every 10 minutes on a physical device I have in my possession. Without both, I can't get in.

 

[SandEagle]

Single Sign-on FTMW!!!!

this


and NTLM authentication for firefox!
http://sivel.net/2007/05/firefox-ntlm-sso/

 

[elmer92413]

http://keepass.info/download.html

I no longer know what the majority of my passwords are thanks to this. One passphrase to rule them all!

 

[rudeguy]

I no longer know what the majority of my passwords are thanks to this. One passphrase to rule them all!

Did I mention that our rigs are locked down so tight that we had to fight to be able to unlock our taskbars?

Its not like I work with sensitive info or anything. Well I guess having access to people's porn watching habits is kinda sensitive...

 

[Imp]

I have 3 different passwords at work. Two for programs I rarely use, so after forgetting one, and going through helpdesk, I wrote them down and out it on my shelf.

 

[Malak]

Yeah... any Microsoft shop worth it's salt should allow you to use your Active Directory ID to log onto your PC, Outlook, Network share, VPN, and Messenger accounts. Bonus points if you can use that same ID to log onto your Intranet and CRM apps as well.

When I was in IT, that's how we handled it. All our apps were developed in-house and designed to only allow specific users access.

 

[alkemyst]

Did I mention that our rigs are locked down so tight that we had to fight to be able to unlock our taskbars?

Its not like I work with sensitive info or anything. Well I guess having access to people's porn watching habits is kinda sensitive...

The idea of locking a taskbar is to keep the IS staff from handling calls on "why is my taskbar [so big, gone, on the top of the screen, has all these icons on it/has no icons on it]" etc.

Windows policies <> password