|
It would be nice if everyone had an embedded x509 hardware token, but that's simply not economically feasible for many organizations. Biometrics are still pretty sketchy and will be for a while yet. Passwords are simply a reality that need to be dealt with, and scoffing at management strategies for them doesn't help anyone.
Eddy Vluggen wrote: Well, like you, they work with "real" people, and it is about controlling risks there - not about avoiding them
Yeah, exactly my point.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
Nathan Minier wrote: It would be nice if everyone had an embedded x509 hardware token, but that's simply not economically feasible for many organizations. Biometrics are still pretty sketchy and will be for a while yet. If you go on a Dutch train you're already forced to use a hardware token.
Nathan Minier wrote: Passwords are simply a reality that need to be dealt with, and scoffing at management strategies for them doesn't help anyone. There are safer options than having the plain username/password combo. Scoffing works by the way, and it was for the good of anyone to point out that the medical website I was using is unsafe. Now scoffing alone means you're being a dick - so I also made sure to explain the alternative.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
A_Griffin wrote: I'm not really a security expert I'm not sure anyone really is.
It's my understanding that most major security breaches are not through guessing someone's password but through other security holes so I don't think these policies do any good at all.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
Not just gratuitous self-promotion (because that doesn't work well) but you could really try
my C'YaPass program (Users Hate Passwords (We're All Users): Never Memorize a Password Again[^]).
It's free, open source, and there is code for 4 major platforms (windows, web, android, ios).
The coolest thing in the latest version is that it remembers all those annoying password requirements* now.
*Add uppercase, add special character, length req
modified 8-Mar-18 8:40am.
|
|
|
|
|
Interesting article, thanks!
|
|
|
|
|
Thanks for checking the article out.
|
|
|
|
|
A_Griffin wrote: One of my clients
They are paying you to do a job; either do it with their requirements or don't get paid.
Have you heard of how many control systems get hacked because people didn't change default passwords or change them on a regular basis? It is not so much an issue in the U.S.A. where companies are required by federal law to maintain secure environments, but it is still a threat.
|
|
|
|
|
Changing default passwords is another matter entirely, and of curse it's a no-brainer. As for Quote: They are paying you to do a job; either do it with their requirements or don't get paid I have a good relationship with my clients - we can speak freely with each other.
|
|
|
|
|
NIST has also changed its tune re: password change frequency, although I can't find their official policy document right now.
|
|
|
|
|
|
Yep, that's exactly the document I came across. I just couldn't find the relevant paragraph, so I opted not to send a link to a document of that size without being a little more specific.
|
|
|
|
|
You are right, to a point. I think two things: make passwords at least 16 chars long and change passwords maybe once a year.
#SupportHeForShe
Government can give you nothing but what it takes from somebody else. A government big enough to give you everything you want is big enough to take everything you've got, including your freedom.-Ezra Taft Benson
You must accept 1 of 2 basic premises: Either we are alone in the universe or we are not alone. Either way, the implications are staggering!-Wernher von Braun
|
|
|
|
|
|
ask the clients IT dept to change your email to a forwarder to another email address on a sane system.
best is your own domain if you have one - if they moan about security you can honestly say you 100% control access.
Myself I registered a domain and pay the annual fees (domain, hosting) and it's only used for my own email (too lazy to do a page so website forever says "under construction.") For a few dollars a month handy coz I can add as many email addresses as I like (including temp for 1 time registration then remove to avoid spam), manage spam filters and even for testing apps that send emails.
Signature ready for installation. Please Reboot now.
|
|
|
|
|
Well, yes I do have my own domain (several, in fact) but I also have email addresses tied to a couple of clients.
|
|
|
|
|
I do this as well. But I do actually have a page. <grin>
To err is human to really mess up you need a computer
|
|
|
|
|
The customer is always rigght ......... or not!
CQ de W5ALT
Walt Fair, Jr., P. E.
Comport Computing
Specializing in Technical Engineering Software
|
|
|
|
|
Both. In order to maintain PCI compliance, many companies have to have this requirement. My company does. Our security people know it's a dumb policy, but we have to have it to stay compliant.
1 month seems extreme though.
|
|
|
|
|
they are. But you can always find out how many passwords they look back and compare and change it back. Write a powershell script that does it. say that they only checked the last five. So change it six times and then back to the original. Set it to run at the first of the month. good to go.
To err is human to really mess up you need a computer
|
|
|
|
|
This is not the hill to die on. Save your energy for when you really need it; and you will.
"(I) am amazed to see myself here rather than there ... now rather than then".
― Blaise Pascal
|
|
|
|
|
If the policy is too strict, then people just write it on a piece of paper and stick it on their monitors. And they usually just substitute one character when they are forced to change it every 8 weeks.
|
|
|
|
|
A guy I know used to just make the password some phrase, a special character, and the date he changed it.
"CaveMan^May102017" for example.
It satisfies a lot of the typical requirements.
_____________________________
A logician deducts the truth.
A detective inducts the truth.
A journalist abducts the truth.
Give a man a mug, he drinks for a day. Teach a man to mug...
|
|
|
|
|
|
Both.
Password management is more complicated than that - and it inevitably suffers from being distilled down to what the end user can understand.
Password length is usually set to a period and length that exceeds the time a given computer can brute force the password. In other words - if a reasonable adversary can crack the password on a fast PC in 30 days, then either the password needs to be longer, or you need to change it sooner. Of course - explaining this to people can be complicated - and enforcing complex rules for passwords like, if it's 8 characters it needs to be changed every 10 days, and if it's 9 characters then every 30 are also not possible on most systems.
So people try to generalize.
If you explain to them for example that you have 15 character passwords, and cracking them brute force is just not practical - you have processes to change them when key people who know the password leave, (or if the crypto were to be broken), then perhaps you could have your approach risk accepted. In practice this will probably save you a lot of effort - and you will end up with better passwords as well.
Hope that helps.
|
|
|
|
|
Turgid peptic nags odd effects of drug (8)
|
|
|
|