Password Policies

dadecoza

dadecoza

Expert Member
Joined
Aug 30, 2006
Messages
1,388
Reaction score
214
Location
~
So last week we get a notice that the companies password policy will change and this week it got implemented.

Today the help desk is flooded with calls for locked accounts.

So my new password will have to be ...

Lower and upper case with numbers and special characters and there should not be more then one of the same character next to each other (I think this is pretty standard). You may not have a password you have used before.

Our passwords expire every month (reminders start coming after 14 days grrrrr).

There is no way I will be able to remember a new password every month. Should I stick a post-it with my domain password to my monitor or maybe store it as a note on my cellphone? Is that not even less secure then just having me pick an easy to remember password?

</vent>
 
2 options.
1 use something like keypass, and enter your password in there everytime you change it.
2. make your password something month related
IE P@swrdFeb2013
 
Urgh my company does this every three months :mad:

Keepass is fantastic, and you should definately be using it, or Last Pass, but won't help for workstation logins. So I'd suggest the same, secure password that you can remember, incremented by numbers to represent the month. like *******1, *******2 etc
 
Last edited:
IT running the business again. Tail wagging the dog effect. Geez man, are they scared that the moment I go peepee my coleague will jump on my workstation and send illicit mails, steal info only I have access to etc. That is why you screen people to come work for you aint it?
 
I just change the last number in my password every time the server asks me to change it. Once I reach the 12th month I start from one again :D
 
thats why I hate going online for fnb banking
when you try to reset your password that doesnt even work
had to do it about 8 time till it finally worked
 
A few years ago satrix had a similar policy on passwords. After about the third time of phoning them to get it reset, I fired of an EMail along the lines of "What is the point of a password that is so secure that everyone writes it down?"

A couple of weeks down the line they changed their policy.
 
I use lastpass with a yubikey.

I dont even know what my passwords are. I use a password generator and changed them all to secure ones.

I login to lastpass with one strong password and my yubikey.

Without both you cant log in. and you need the actual yubikey
 
rodga said:
thats why I hate going online for fnb banking
when you try to reset your password that doesnt even work
had to do it about 8 time till it finally worked
Click to expand...

Off topic, but the FNB ib password doesn't allow non-alphanumeric chars. Why is that? Is it due to hardware limitations?
 
AlmightyBender said:
Urgh my company does this every three months :mad:

Keepass is fantastic, and you should definately be using it, or Last Pass, but won't help for workstation logins. So I'd suggest the same, secure password that you can remember, incremented by numbers to represent the month. like *******1, *******2 etc
Click to expand...

Our Company's IT policy is the same, every 90 day's you must change your password, 15 days before the 90 days is over they start bombarding you with e-mail, warning you that you can change it, if you don't you logged out (not that some of the guys actually care at all). Another problem is that you cannot use your suggestion, it must be a total new password every 90 days, I think you cannot use the same string for at least 1yr.
 
You lucky!
Our company does not allow passwords to repeat 14 times, so I have like a standard password and just add the month and year in there as well.
Also their month is only 28 days long, so this creates even more problems :(

Just looking at all the post-it notes on laptop screens with the users passwords makes me all warm and fuzzy inside....
 
@ OP - I would say it is actually more secure to keep your passwords written down somewhere rather than to remember and use the same password for multiple systems. Provided that wherever you keep them is either securely locked away or encrypted. - @ OP

Passwords and security is no joke. Leaking confidential information or PII is also no joke. And businesses can get hammered for poor compliance, who then are suddenly and conveniently all too eager to pass the buck on to IT when the shyte hits the fan. Consider what if your IT department is also third party, that places even greater responsibility. And when they are audited and found non-compliant then people can lose jobs.

I think even as an IT professional if you turn a blind eye to these things it is negligent and very poor practice.

Unfortunately passwords and policies is just a way of life :) Most of the time it is harder work dictating and enforcing those policies than just abiding by them.
 
Last edited:
Often times I find setting to stricter policy worse as the users start to write the passwords down, that is a far bigger risk than a moderatly difficult password.
 
As a ITSEC professional, I am lol'ing at the posts.

ITSEC governance and policies are not determined by "IT running the business". It stems from compliance requirements such as SOX, PCI, etc, which determine, in the case of password, what the length/complexity/reuse history/etc needs to be to ensure compliance to a standard. No compliance, no approval to trade or do business.

That said, stick your password on a post it on your monitor at your own peril because if someone else uses your account to go apeshyte, and someone will, no amount of pleading ignorance is going to get you off. You most likely agreed to a "use of Computing Services" policy at some point of your employment there.
 
Last edited:
If you really have trouble remembering your passwords perhaps a suggestion is to use an encrypted flash drive stuck with your car keys? It is almost as convenient as a sticky note on your monitor but 1000 times more secure, and bonus is that you will make sure you never put your car keys in a place where you can't find them :D

But be sure you have a good encrypted flash drive. I read stories of some of the hardware based ones having pretty silly vulnerabilities.

If it gets lost then you know to go change your passwords anyway. Plus your car is probably stolen too or you are going nowhere so you would notice pretty quickly.

Also always lock your screen when you get up from your PC. It is as easy as "Windows Key + L".
 
Last edited:
Screenshot%20from%202013-02-05%2016%3A47%3A49.png


:D
 
Its killing me seeing the responses to the password policies. Those things are in place for a reason.
Did anyone stop to think that if something incriminating happened from your workstation that the password policy ensures *you* were the person using it? there are tons more reasons for complexity and changes.
 
dade said:
So last week we get a notice that the companies password policy will change and this week it got implemented.

Today the help desk is flooded with calls for locked accounts.

So my new password will have to be ...

Lower and upper case with numbers and special characters and there should not be more then one of the same character next to each other (I think this is pretty standard). You may not have a password you have used before.

Our passwords expire every month (reminders start coming after 14 days grrrrr).

There is no way I will be able to remember a new password every month. Should I stick a post-it with my domain password to my monitor or maybe store it as a note on my cellphone? Is that not even less secure then just having me pick an easy to remember password?

</vent>
Click to expand...

Any one that complains about these kind of policies should go have s*****l int*rco**se with a hooker without using a condom. Because in this day and age that is what you are promoting if you complain about best practice security mesures to try and keep you and your companies information secure.

Lets stick to the condom thing... you could have had int*rc**rse a 100 years ago without any problems... 15 years a go you could have had one password that's less than 7 characters long and didn't need any numbers special characters and so on.

Embrace it and try and to implement the same thing with your personal data and accounts.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X