The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
It would be nice if everyone had an embedded x509 hardware token, but that's simply not economically feasible for many organizations. Biometrics are still pretty sketchy and will be for a while yet.
If you go on a Dutch train you're already forced to use a hardware token.
Nathan Minier wrote:
Passwords are simply a reality that need to be dealt with, and scoffing at management strategies for them doesn't help anyone.
There are safer options than having the plain username/password combo. Scoffing works by the way, and it was for the good of anyone to point out that the medical website I was using is unsafe. Now scoffing alone means you're being a dick - so I also made sure to explain the alternative.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
They are paying you to do a job; either do it with their requirements or don't get paid.
Have you heard of how many control systems get hacked because people didn't change default passwords or change them on a regular basis? It is not so much an issue in the U.S.A. where companies are required by federal law to maintain secure environments, but it is still a threat.
You are right, to a point. I think two things: make passwords at least 16 chars long and change passwords maybe once a year.
Government can give you nothing but what it takes from somebody else. A government big enough to give you everything you want is big enough to take everything you've got, including your freedom.-Ezra Taft Benson
You must accept 1 of 2 basic premises: Either we are alone in the universe or we are not alone. Either way, the implications are staggering!-Wernher von Braun
I just looked at this a few days ago. My employer makes us change it every 42 days and remembers the last 26 passwords! I suggested to the devops guy that we change it. He inherited it and is open to change. I found two links in reference to the PCI guidelines (as we need to be PCI compliant) that state that they can go as old as 90 days. So that is my suggestion. I also suggested that it doesn't remember 26 old passwords. We'll see if updates happen, but I feel your pain!
Based on quick math, I'm about 40 passwords in at this job.
ask the clients IT dept to change your email to a forwarder to another email address on a sane system.
best is your own domain if you have one - if they moan about security you can honestly say you 100% control access.
Myself I registered a domain and pay the annual fees (domain, hosting) and it's only used for my own email (too lazy to do a page so website forever says "under construction.") For a few dollars a month handy coz I can add as many email addresses as I like (including temp for 1 time registration then remove to avoid spam), manage spam filters and even for testing apps that send emails.
Signature ready for installation. Please Reboot now.
they are. But you can always find out how many passwords they look back and compare and change it back. Write a powershell script that does it. say that they only checked the last five. So change it six times and then back to the original. Set it to run at the first of the month. good to go.
To err is human to really mess up you need a computer
If the policy is too strict, then people just write it on a piece of paper and stick it on their monitors. And they usually just substitute one character when they are forced to change it every 8 weeks.
Password management is more complicated than that - and it inevitably suffers from being distilled down to what the end user can understand.
Password length is usually set to a period and length that exceeds the time a given computer can brute force the password. In other words - if a reasonable adversary can crack the password on a fast PC in 30 days, then either the password needs to be longer, or you need to change it sooner. Of course - explaining this to people can be complicated - and enforcing complex rules for passwords like, if it's 8 characters it needs to be changed every 10 days, and if it's 9 characters then every 30 are also not possible on most systems.
So people try to generalize.
If you explain to them for example that you have 15 character passwords, and cracking them brute force is just not practical - you have processes to change them when key people who know the password leave, (or if the crypto were to be broken), then perhaps you could have your approach risk accepted. In practice this will probably save you a lot of effort - and you will end up with better passwords as well.