Rotating Passwords WTF - Continued



  • We've all been inflicted with stupid password policies... must change every 30 days, but be n characters in lengh, mixed case, numbers, punctuation, Klingon characters, stand-on-left-foot-while-entering...

    My company has taken it to the extreme. They USED to have single signon. Sign on once to any system, and you were in. Your profile then determined to what you were to be granted access. It was kind of nice. You only needed one password, and they only prohibited you from using the last 3 passwords. However, you could just change your password 4 times in a row to get back to square-1 and be done with it. Now the single signon is gone. Each system has it's own password, each with different rules as to what constitutes a valid password, each with different rotation frequencies, each with a different number of previous passwords that it precludes you from using, AND you can only change your password every couple of days with a different interval for each system.

    I now have seven different passwords (unix dev/qa/prod, unix-dr (why this is different is beyond me), payroll/paycheck access, IRA-access, 401(k)-access, bug-tracking-access and windows) at work. Each system checks to make sure you aren't using the same password for the other systems. This is over and above those at the various banks (who have now all taken to requiring you to answer stupid questions that could be answered in any number of ways (In what city were you born? "New York", "new york", "NY", "NYC", "WTF?"; What is your wife's birthday? Which wife? #1 or #2? When is your anniversary? Again, #1 or #2? The answer depends on when the account was opened).

    Who can keep track of all of this? I now *proudly* use the post-it security mechanism for all but financial access. Thankfully, the only ones that really matter are the ones on the ATM cards, and those you don't ever have to change (they only protect actual money).

    </rant>



  • @snoofle said:

    Who can keep track of all of this? I now proudly use the post-it security mechanism for all but financial access.

    And that right there is death-by-security.



  • It has been nearly ten years since the complexity of a password that is easily bruteforced exceeded the complexity of a password that most people can remember. People who are still using passwords for security are just plain and simple out of date. If you need your system to be secure, you need a smart card or some other similar form of token authentication.

    So you can relax in the knowledge that all of this annoyance is completely worthless.



  •  A few weeks ago I spent about 25 minutes trying to come up with a memorable password for our staging server, which prompted me for a new password when I logged in. All this while I should've been actually getting things done. What pissed me off is that the unix passwd utility would only tell me what the one restriction I was violating was, choosing just one each time I tried to set the password:

     Cannot be a previously used password.

    Must be at least 8 characters in length.

    Must contain a number.

    Must contain an uppercase letter.

    Must contain a lowercase letter.

    Cannot be based on a dictionary word.

    Cannot be based on a reversed dictionary word.

    Cannot contain the same character more than twice in a row.

    Cannot contain a sequence of numbers. (i.e. 1234)

    Cannot contain a foreign language word.

     

    I eventually became very frustrated because all this time I couldn't get into the system to do my work. Then I remembered the Markov chain random word generator I wrote as an exercise in college a few years ago. I ran the program, picked a word from its output, and tried it out:

     

    Enter password: *****

    Enter new password: Tovental1!

    Cannot be based on a dictionary word. (apparently it saw "oven" as a no-no)

     

    The same pattern continued. The Markov chain random word generator was apparently too good at making English sounding words for the computer to accept them as gibborish (does this mean it passes the Turing test?).

     I shortened the length of the chains to 3 characters and tried it again.  This time the output, while still pronounceable, was not a recognizable word in any language I knew. Thankfully, after 25 minutes of fighting with the passwd utility, the machine accepted my password.

     

    Of course that's not to mention the intranet and internet passwords and pins I have to remember, my individual logins for all of our internal systems, my login to the Windows domain, the pin for my SecurID, etc...

     

    Common practice around here when you're prompted to change your password is to have a lead developer log in as root and set it for you, overriding the password restrictions.



  • @djork said:

    @snoofle said:
    Who can keep track of all of this? I now proudly use the post-it security mechanism for all but financial access.

    And that right there is death-by-security.

    You are, of course, completely correct.

    Aside: I usually use some combination of middle names of multiple family members with a product of the pertinent birth dates and "!" - very easy to remember, very secure, very hard to guess. The problem is when they force you to change it.... Grrr!



  •  Same situation where I work.  Fortunately, all of the resources I need to access on a daily basis have the same username/password.  Our company is owned by 2 other companies, each with their own intranet.  Each intranet requires both a unique password AND my username is different on both systems.  PLUS, to get to 1 of the intranets, we need to access it via some fancy web page that requires me to enter my employee ID (which I don't know) AND enter a 6 digit number from one of those random number generator keychains AND enter my super secret PIN.  Took me 4 months to get it all straightened out and then I realize that there's no way to setup direct deposit online and I'm just going to have to mail a form anyway...



  • My computer has a barcode scanner and I have the ability to produce barcodes. Nobody notices a nearby portable appliance test sticker has a barcode stuck on top of the original that when scanned produces my password. It's more for speed than anything else. You don't have trouble remembering a password if you have to type it in 20+ times a day,



  •  My company has a single sign on system, but there are at least 3 instances of it in use, each with different configurations regarding password complexity... Which means I have three different passwords that I might need to enter when the thing says "use your single-sign-on account".

     Oh, and lets not forget the one that truncates your password to 8 characters even though half the entry forms allow you to enter more and don't tell you it was truncated....



  • @stinch said:

    Nobody notices a nearby portable appliance test sticker has a barcode stuck on top of the original that when scanned produces my password.
     

    This was clever up until the point when you posted about it on a public, high-traffic website, at which point it became kinda dumb. 



  • @stinch said:

    Nobody notices a nearby portable appliance test sticker has a barcode stuck on top of the original that when scanned produces my password.
    There are special keyboards that remember a massive amount of text, as a special feature you can get them to type pages of pages of remembered text and even disconnect them to work with the saved text. They can connect through USB, so I can take it with me if need be without having to reach around to the back of the computer to use it. Unfortunately they ran about 500$ CDN (in 2002) and the one I had was a loaner. Can't remember the brand either.



  • X-Keys 

    http://www.piengineering.com/xkeys.php

     Have a set at work, though I have never actually used them...



  • @snoofle said:

    Aside: I usually use some combination of middle names of multiple family members with a product of the pertinent birth dates and "!" - very easy to remember, very secure, very hard to guess. The problem is when they force you to change it.... Grrr!

     

     I used a method similar to this when some of my coworkers with more experience fighting password policies enlightened me to this EASY scheme:
        Start at a position on the keyboard and work your way around.

    For instance starting at 1, type 1qaz, then hold the shift key, move to the next column and type 2wsx...which yields: 1qaz@WSX
    When it is time to change again, start at 2,etc...2wsx#EDC

    By the time you get to the end of the keyboard...reverse...go other direction, skip every other key, etc.



  • I've taken to using postits too, for the same sorts of reasons.  Lots of passwords at work, personal banking, etc. each with their own restrictions.  For non-crucial things, I tend to have a single password that I reuse (e.g. one for throw-away memberships, one for web-stores, one for web-based email, ...) but sometimes my "standard" password doesn't pass the specific requirements of a particular site, so now I have variations on a theme, ...

     I don't write down the whole password, but just enough to jog my memory.  Using the previous poster's example password Tovental1!, for example, I'll write down:  T...!

    The bar code scanner is clever as long as nobody catches you in the act.

     

     



  • I likewise have a few core passwords, each for different levels of security, and each changing according to a pattern I can remember. Because of increasingly strict password requirements and improved password-guessing software (see http://www.schneier.com/blog/archives/2007/01/choosing_secure.html), I recently introduced a new top-level password that’s a nasty hairy 10+ character string of intermixed cases, numbers, and special characters intended to be secure and meet the most stringent requirements I’ve heard yet. Yeah, it was hard to memorize, but once I did, I figured I’d be set for years. I can handle it.

    What I can’t handle is now systems reject the password for being too secure. Password must be exactly 8 characters. Password must contain special characters but none can be *()_+=-{}[]:”;’,.<>?/! (where prohibited special characters vary by system). Password has too many capital letters.

    Must…control…fist…of…death.

    --RA 



  • @snoofle said:

    Who can keep track of all of this? I now *proudly* use the post-it security mechanism for all but financial access.
    You can do a little better than that.  Encrypt a text file full of passwords with a tool like AXCrypt.  Then all your passwords are as secure as whatever password you choose to encrypt with.

    It's like a post-it that only you can read.


Log in to reply