|
I use drugs to make it go away.
«... thank the gods that they have made you superior to those events which they have not placed within your own control, rendered you accountable for that only which is within you own control For what, then, have they made you responsible? For that which is alone in your own power—a right use of things as they appear.» Discourses of Epictetus Book I:12
|
|
|
|
|
|
|
You are right, such a policy serves no real purpose. If someone's account gets hacked then their data is compromised at that point. So changing the password in a week will not do much good.
|
|
|
|
|
We have an ISO, which forces us to change password every 3 months and keep history of eight 'ages', and of course it must be a complex password...
The only result is that now all manage a text/excel file to keep tracking of the 8 'ages' and complexity... also all creates password based on a pattern...
I feel so safe...
The first thing I done after the first period is remove this from my user...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
So change your password every month to My_ridiculous_password_1 through My_ridiculous_password_12 and then start over from the beginning.
|
|
|
|
|
Head of IT at another company I work for sent me a login for one of their systems... the password? W3bl0g1n!
|
|
|
|
|
Nice.
What was the name of the company again?
|
|
|
|
|
|
Jörgen Andersson wrote: My_ridiculous_password_1 through My_ridiculous_password_12 Where I am now had the setting so it wouldn't let you re-use the last 9 passwords until they realized that the majority of employees were just using My_easy_password_1 to My_easy_password_0 then starting over at 1.
So the fix? Change it to not allow you to use the last 20 passwords! Bet you can't guess what changed.
|
|
|
|
|
RJOberg wrote:
So the fix? Change it to not allow you to use the last 20 passwords! Bet you can't guess what changed.
The obvious solution is to not allow numbers at the end or start of a password. Of course that just leads to people using things like my1password, my2password, etc. So obviously you also have to require the first four characters of the password to be different each time as well.
|
|
|
|
|
Oh, there are many solutions: one of my favorites is to require a percentage of all letters to change to force the user to use a completely new password each time. Depending on how that is implemented, the user can just shift the entire password one character left or right and fool the entire mechanism.
Mostly this is a game. It is "wily" network administrators against their own users who endeavor to circumvent the network administrators. You'll notice, while being adversaries in this battle, both are missing the true enemy lurking trying to find a way in!
|
|
|
|
|
Wait, wait... Hold on, if they are salting and hashing the passwords, how can they possibly know if X% of characters changed each time? I mean, you can store the last 10 hashes to compare against, but no good hashing system should give them any possible idea of the number of characters that did or did not change each time. There may be a much bigger problem here than dumb password policy.
|
|
|
|
|
Kornfeld Eliyahu Peter wrote: The first thing I done after the first period is remove this from my user...
Ummmm... pregnancy or hysterectomy?
I'm retired. There's a nap for that...
- Harvey
|
|
|
|
|
|
It's their server, so they're right, so you have to deal with it. It is, however, your right to complain bitterly to whomever will listen.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
Exactly. I've been a contractor (Consultant) for most of my 45 year it IT. Early on I learned two things;
1. Behave like a mercenary, if they want you to kill it, as long as its not illegal, unethical or immoral, kill it.
2. They can pay me now or they'll pay me later, either way I get paid.
Every one of my clients were happy with me.
|
|
|
|
|
|
Such passwords will be written down. If someone changes the lock on their front-door each month, I'd be inclined to say that they haven't looked into securing the house at all and are merely copying others.
I'd also be testing their password recovery/reset options at least twice a month
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
It depends. If they're in an industry that has applicable cyber regulation then they may absolutely need to do this to maintain compliance.
Thirty days seems a little on the sharp side, but that's all contingent on the laws in the primary operational area for the company.
Also, the general "wisdom" on the security side is that complex passwords that are changed on a regular basis are still a fundamental security practice. The zeitgeist has not shifted on that; though there are a number of increasingly vocal individuals that advocate for a less complex strategy, they don't represent the viewpoint of the community as a whole.
Use KeePass to keep it easy. I just use the "Generate from last" and go.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
Yes, if they are too lazy to restrict access for ex-employees, then it would pay to change those passwords every 30 days. Would give said employee to the end of the month to create chaos.
It is nonsense.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
No, if the organization is subject to regulation then out-processing requirements are likely required as well, which should include account closure. Of course, if there are a ton of different systems without a central AAA mechanism then it might be as you suggest, but only a complete moron would consider that a security strategy.
This isn't an insider threat mitigation strategy. As I said, 30 days is a bit much, but at least 90 (with deviation requirements) is pretty on-point to prevent re-use issues if a third party is compromised. It's not perfect, but it's far better than nothing.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
Nathan Minier wrote: This isn't an insider threat mitigation strategy. As I said, 30 days is a bit much, but at least 90 (with deviation requirements) is pretty on-point to prevent re-use issues if a third party is compromised. It's not perfect, but it's far better than nothing. It is patchwork for someone who is too lazy to control the entire chain, and it is evil; it gives the impression of added security, where there isn't.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
I disagree. There is no "control the entire chain" when a user can use the same password on my system as on a third party system, and I have no idea what precautions that system might have in place. Compared to the risk of compromise of credentials through third parties, the risk that an employee might keep a written ledger of passwords (or use a password manager) is much easier to accept.
As an SA or ISSO, I have no control over what passwords users have on other systems; but if I make them change it often enough I can reduce the risk of password reuse, and risk reduction is all that you can do in security. Not having password change requirements is frankly "lazy", as you are not only putting your system at risk, but any other that the user might have an account with.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
Nathan Minier wrote: but if I make them change it often enough I can reduce the risk of password reuse No, now you are increasing that risk. Januari01, February02, March03..
Nathan Minier wrote: and risk reduction is all that you can do in security My world has to be black and white; either something can be trusted, or it can't. If it is outside my control, there will be no trust.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|