I have a question for the IT guys...

[guyver01]

IT has gone overboard with passwords as a means of security. The more passwords you need to remember, the more often you need to change them, and the more rules you put in place for force people to use strong passwords, the more likely people are going to choose dump passwords.

Depending on the company, there's a little law called SARBANES-OXLEY and they have password requirements for systems that contain
Sensitive User Information


Here’s a basic list of what constitutes that vague term (I probably left some out):

• Account number and identifiers
• Customer numbers
• User names
• Credit card or bank information of any kind
• Passwords
• Private messages and blog posts
• Wage information
• Social security and driver’s license numbers
• Birthdates

SOX compliancy requires:

User sessions should not be identified using cookies or IP addresses

Strong passwords (more than 8 characters, mixed alphanumeric and special characters, mixed upper- and lower-case) should be enforced if users select their own passwords.

Anyone who has access to the production database should be required to change their password at least every 90 days

Security violations (such as a user entering the wrong password three times in a row) should be logged to a secure location and reviewed by the company Security Officer on a regular basis

amongst a whole list of other requirements.

IT Doesnt make this stuff up. we're required by law to follow it.

Believe me.. i dont want you calling daily because you cant remember your password because it's too complicated.

 

[wiredspider]

http://www.microsoft.com/forefront/identitymanager/en/us/default.aspx

 

[alkemyst]

What I think is funny is the soccermom mentality that people will not let their kids walk to a school in their own neighborhood, but think that there is no way corporate espionage or fraud will happen in their workplace.

I can guarantee at about 90% of the businesses out there if I am just allowed to roam around I can find at least a dozen passwords to remote systems or to the servers they have physically locked. Even if not written down, with weak password requirements just asking a few people who their significant other is or pet's name or just looking around their office/cube I can guess many non-secure passwords.

 

[guyver01]

Yeah... any Microsoft shop worth it's salt should allow you to use your Active Directory ID to log onto your PC, Outlook, Network share, VPN, and Messenger accounts. Bonus points if you can use that same ID to log onto your Intranet and CRM apps as well.

All that stuff is SSO integrated because it can all be controlled by Active Directory User Groups. so.. of course it's going to use your AD account.

Now... if you can get oracle to create an Active Directory integration method that allows AD User Groups to control ERP access... well, that would be swell.:wub:

 

[KMFJD]

Single Sign-on FTMW!!!!

If you are talking about citrix single sign on, well there is a special little place in hell just for you

 

[lokiju]

Radius FTW?

 

[Capt Caveman]

All that stuff is SSO integrated because it can all be controlled by Active Directory User Groups. so.. of course it's going to use your AD account.

Now... if you can get oracle to create an Active Directory integration method that allows AD User Groups to control ERP access... well, that would be swell.:wub:

Oracle does have an Active Directory product. OID is what we use to integrate with all of our other systems for SSO.

 

[DisgruntledVirus]

Depending on the company, there's a little law called SARBANES-OXLEY and they have password requirements for systems that contain
Sensitive User Information



Here’s a basic list of what constitutes that vague term (I probably left some out):

• Account number and identifiers
• Customer numbers
• User names
• Credit card or bank information of any kind
• Passwords
• Private messages and blog posts
• Wage information
• Social security and driver’s license numbers
• Birthdates

SOX compliancy requires:

User sessions should not be identified using cookies or IP addresses

Strong passwords (more than 8 characters, mixed alphanumeric and special characters, mixed upper- and lower-case) should be enforced if users select their own passwords.

Anyone who has access to the production database should be required to change their password at least every 90 days

Security violations (such as a user entering the wrong password three times in a row) should be logged to a secure location and reviewed by the company Security Officer on a regular basis

amongst a whole list of other requirements.

IT Doesnt make this stuff up. we're required by law to follow it.

Believe me.. i dont want you calling daily because you cant remember your password because it's too complicated.

This.

Our security policy regarding passwords is this:
Change it every 90 days
New password cannot be any of the previous 8
Cannot be too similar to previous 8 passwords (like HRO1, HRO2, HRO3, etc)
Must contain lower case, upper case, and numbers (or special characters)
Luckily, we can use the same/similar passwords for our production systems (for example if my Windows pw is Atot010109, production can be that or cut the end to fit the max length field of 6 for one system so Atot01).

 

[her209]

Two-factor authentication FTW. Even if someone got your "password", they still don't have your fingerprint, smartcard, etc.

 

[Gibson486]

Do not get me started....


I boot up windows...


"You password needs to be changed within 7 days....

1. It cannot be the same as the previous 10 passwords

2. It cannot contain your name

3. it must have a number...
"

WTF...I work for a consulting firm doing work for poop plants. What is so top secret about it? if this was Raytheon or NASA, yeah, i can see a scheme like this happening. but, WTF....I am out of passwords.

 

[daishi5]

Depending on the company, there's a little law called SARBANES-OXLEY and they have password requirements for systems that contain
Sensitive User Information


Here’s a basic list of what constitutes that vague term (I probably left some out):

• Account number and identifiers
• Customer numbers
• User names
• Credit card or bank information of any kind
• Passwords
• Private messages and blog posts
• Wage information
• Social security and driver’s license numbers
• Birthdates

SOX compliancy requires:

User sessions should not be identified using cookies or IP addresses

Strong passwords (more than 8 characters, mixed alphanumeric and special characters, mixed upper- and lower-case) should be enforced if users select their own passwords.

Anyone who has access to the production database should be required to change their password at least every 90 days

Security violations (such as a user entering the wrong password three times in a row) should be logged to a secure location and reviewed by the company Security Officer on a regular basis

amongst a whole list of other requirements.

IT Doesnt make this stuff up. we're required by law to follow it.

Believe me.. i dont want you calling daily because you cant remember your password because it's too complicated.

Do not forget HIPAA, those of us in health need to deal with that one. We use the citrix SSO here because so many of our apps won't work with AD, it has made life so much easier.

 

[nobody554]

Here is what every company should do. Make every emplyee have 1 or 2 passwords and force them to choose really strong passwords. These passwords NEVER expire. Everything in the entire company uses one of these 2 passwords. VERY strict punishments are put in place for divulging ones password to anyone, up to and including being fired (depending on the sensitivity of the material being worked on). Now place the VAST majority of IT security budget in building a secure infrastructure. Lock everything down. Firewall everything. Limit employees access to only what they need. Record everything. If you follow these rules you don't really need a super secure password that changes every week. Unless you work for the military or something.

I'm reading this. It seems good in theory. But here's why it's not a good idea.

Who cares if you get fired for letting slip your password to get onto a machine that has bank account or social security number data on there? By the time IT can lock the account / change the password, it may have already been compromised. Proactive > Reactive. Always.

I don't care how much money you spend on a secure infrastructure. As long as you have humans working for you, your infrastructure is insecure.

That being said, I'm still a fan of SSO and think having 7 passwords that have to be typed in daily is stupid. But that's not completely our (IT's) fault. Some (Read: Most) applications don't add that functionality in there.

 

[imagoon]

What is you guys' fascination with passwords?

Why can't there just be one password that logs me into everything? Its not like I can get into any of the other systems without my Windows logon. There are about 10 things that run at startup that NEVER get used, why not make the 3 critical programs start up too?


Security you say? Windows locks itself if I am inactive for more than a couple minutes. The other programs also log me off if I don't use them for X amount of time. This means that generally my password file is always up because chances are I am going to use it almost as much as I use Internet Explorer.

Why not make it easier for the thousands (millions?) of us who are just trying to do our jobs?

We didn't write the craptastic programs that has zero concept of SSO.

We use 30 minutes of inactivity for Windows. If you haven't moved your mouse in 30 minutes, your not there and the terminal shouldn't be wide open for everyone to use. Company information is company information and your friends Executive team has asked us to limit access. I am sure the CIO, CFO and CEO would work a meeting in for you to complain.

I do agree with you btw.

Example we have here.... Login to Windows (obvious password) >> log in to citrix meta frame (which corp runs and go forbid we create a domain trust.) >> random apps password that looks like it was designed in 1982. App has no idea about the "single sign on" thing that speak of. Oh Local Windows expires every 90 days. Corporate also is 90 days but always is on a different cycle. Crappy app? Different 90 days.

All of these programs (bar the crappy old ones) support SSO if people would play together. However we use the "island method" here.

As a side note, why can't employees take any of this seriously? I mean why do we feel the need to put say... Payroll on on the public share rather than using the Payroll share? I mean honestly, I personally can add user permissions in like 30 seconds if there is a person needing access. Yet we dump it out there so "person X" can get the file but then leave that copy out there for years. It is only world readable (all employees!)

+all the SOX and HIPAA stuff mentioned above ^^

 

[Juddog]

The reason all this is in place has to do with all the lawsuits going on any time a laptop is lost or stolen. With the amount of data that you can store on computers nowadays, a single laptop can contain a database containing several hundred thousand user records which can contain date of birth, social security number, etc..

The companies are simply covering their asses from lawsuits. Personally I'm hoping for a move to more bio based authentication methods, such as fingerprint / retinal scans, unfortunately where I work the fingerprint hardware doesn't work well with the hard drive encryption program we use.

Still people lose laptops all the time, this is why we have to do things like that. The main problem that people are referring to above, that work on non-sensitive data, is that the IT policy has to cover ALL company computers; we can't have selective security policy because then everything gets loose and security becomes compromised when people complain and are given a lower security level to shut them up.

 

[KMFJD]

Do not get me started....


I boot up windows...


"You password needs to be changed within 7 days....

1. It cannot be the same as the previous 10 passwords

2. It cannot contain your name

3. it must have a number...
"

WTF...I work for a consulting firm doing work for poop plants. What is so top secret about it? if this was Raytheon or NASA, yeah, i can see a scheme like this happening. but, WTF....I am out of passwords.

I love talking with people who have this attitude....yup to complicated....let me zone out for 10 minutes while i listen to you mumble on the phone about how you cannot come up with a new password....

 

[Theb]

If it can be bound to the domain it is. If it can't be bound to the domain we initially set it up with the same password as your domain account. At some point the password was changed on one system, but not changed on the others. Maybe it was a virus or a terrorist that changed your password, but probably it was you.

If you reach a point where the computer has made your life unmanageable IT will be happy to swap it out with a typewriter.

 

[rudeguy]

As a side note, why can't employees take any of this seriously?

Because the only time we think about this kind of thing is either when we forget a password, its time to change a password, or its the yearly compliance training. The rest of the time we are living in our own little world, worrying about doing our jobs. I call it the 3 foot rule. Most people are not aware of anything outside of a 3 foot radius around themselves.

 

[spidey07]

LDAP, it's what's for dinner. Having different passwords for every application is so 1990s.

 

[zerocool1]

I'm an IT guy, and while I acknowledge the need for passwords and authentication in different apps, resources, etc., I'm a huge fan of SSO. The problem is that most apps are too stupid to utilize SSO.

This or using 2 factor.

 

[ViviTheMage]

LDAP, it's what's for dinner. Having different passwords for every application is so 1990s.

Try working with apps/software that don't tie into LDAP

HEAD SPLODE!

We've got 40+ passwords to remember at my place.

 

[spidey07]

Try working with apps/software that don't tie into LDAP

HEAD SPLODE!

We've got 40+ passwords to remember at my place.

Then that's a fail application.

 

[Crusty]

Then that's a fail application.

/agree

If your app was written in the last decade there's really no excuse for not supporting LDAP authentication.

 

[spidey07]

/agree

If your app was written in the last decade there's really no excuse for not supporting LDAP authentication.

Tell me about it. The year will soon be 2010. 2010. No excuses for not supporting it. We're out of the 1990s by a whole decade.

 

[her209]

Tell me about it. They year will soon be 2010. 2010. No excuses for not supporting it. We're out of the 1990s by a whole decade.

There are still software vendors that develop applications that don't work properly unless the user has admin rights on their computer. Much FAIL.

 

[skace]

Sometimes it's the app admin's fault, because he implements an application without understanding how LDAP ties in or because the vendor knew it was 'easier' to just get the lame accounts working instead.