Password change frequency



  • This place is undergoing the changeover from wild-and-free-startup-3-years-in to established-corporation-with-procedures-for-everything.

    I just this minute received email regarding a conversation amongst C-level executives, the head of the DBAs and the head of security, regarding password complexity and expiration periods.

    The complexity rules are standard fare, so I won't bore you with them.

    The expiration debate ranged from 3-months-is-too-long; to so-is-two-months; so ok-let's-make-them-expire-monthly.

    So now our PC, linux (they don't use YP so each box has to be set independently), source control, etc all need to be a) different, b) changed monthly, with no repeats for 2 years.

    headdesk

     



  • Hooray post-its?



  • At least they don't expire hourly! and require use of an "authenticator" ...



  •  Easy. Just do your normal password with a month/year suffix.

    Pa$$word611

    Pa$$word711

    Pa$$word811

    ...

    That system doesn't work when the expiration period is longer than a month, so be grateful.



  • @snoofle said:

    changed monthly
    Will this particular part actually bother you unduly? Or are you planning to stay long enough

    a) for them to implement this

    b) plus a month?



  • @ShatteredArm said:

     Easy. Just do your normal password with a month/year suffix.

    Pa$$word611

    Pa$$word711

    Pa$$word811

    ...

    That system doesn't work when the expiration period is longer than a month

    Or there is a constrain that doesn't allow passwords that are alike.

    In my case what I do is use a very complex password and then when it expires use the same password on differents keys, so I only memorize the mechanical motion (I have been using this system for 1 1/2 years let us see if I can keep it until the end of the cycle which is 6 years I think)



  • @serguey123 said:

    @ShatteredArm said:

     Easy. Just do your normal password with a month/year suffix.

    Pa$$word611

    Pa$$word711

    Pa$$word811

    ...

    That system doesn't work when the expiration period is longer than a month

    Or there is a constrain that doesn't allow passwords that are alike.

    Just use the above scheme, but type the password consecutively a number of times depending on which system you're on.  e.g:

    PC: Pa$$word611

    Linux: Pa$$word611Pa$$word611

    Source Control: Pa$$word611Pa$$word611Pa$$word611

    Time sheet tracking: Pa$$word611Pa$$word611Pa$$word611Pa$$word611

    Company Interweb: Pa$$word611Pa$$word611Pa$$word611Pa$$word611Pa$$word611

    ...



  • @frits said:

    @serguey123 said:

    @ShatteredArm said:

     Easy. Just do your normal password with a month/year suffix.

    Pa$$word611

    Pa$$word711

    Pa$$word811

    ...

    That system doesn't work when the expiration period is longer than a month

    Or there is a constrain that doesn't allow passwords that are alike.

    Just use the above scheme, but type the password consecutively a number of times depending on which system you're on.  e.g:

    PC: Pa$$word611

    Linux: Pa$$word611Pa$$word611

    Source Control: Pa$$word611Pa$$word611Pa$$word611

    Time sheet tracking: Pa$$word611Pa$$word611Pa$$word611Pa$$word611

    Company Interweb: Pa$$word611Pa$$word611Pa$$word611Pa$$word611Pa$$word611

    ...

    [Humour=off]Sadly this won't work either [Sarcasm=on, Humour=on] because this is an excellent idea

    //Disclaimer: The humour tag does not guarantee that the comment is funny only that it was made with an humourous intent



  • @PJH said:

    @snoofle said:
    changed monthly
    Will this particular part actually bother you unduly? Or are you planning to stay long enough

    a) for them to implement this

    b) plus a month?
     

    It doesn't bother me because I too, use a motion-pattern that can be repeated.

    For example, Jan=Zaq12wsx,Feb=Xsw23edc, Mar=Cde34rfv, ... Jun=Nhy67ujm,

    then Jul=Mko09ijn, Aug=Nji98uhb, ... Dec = Xdr54esz (and then I reverse it starting from the numbers going down and back up.)

    with a certain suffix that means something to me, so I'm good for 24 unique passwords that I can't remember but can easily figure out by just looking at the keyboard and knowing what month it is.

    The only caveat is I'm fucked if I don't have a qwerty keyboard.



  • @snoofle said:

    For example, Jan=Zaq12wsx,Feb=Xsw23edc, Mar=Cde34rfv, ... Jun=Nhy67ujm,

    Aw thanks a lot! Now I have to change my passwords!

    @snoofle said:

    The only caveat is I'm fucked if I don't have a qwerty keyboard.

    Or if there's an production emergency at work, and you're nowhere near a computer or keyboard, and you call up your boss over the phone, and he asks for the password so he can log in and save the day, and you're just on the other side of the phone in the middle of nowhere saying "uuuuhhhh" as you try to visualize what the keyboard looks like while twitching your fingers in an attempt reverse the muscle memory. *

    * true story



  • Hey I just found out my workplace implemented a "three strikes, you're (locked) out" policy on our passwords! The hard way!

    Good thing I brought my own laptop to work today.



  • @Xyro said:

    @snoofle said:
    For example, Jan=Zaq12wsx,Feb=Xsw23edc, Mar=Cde34rfv, ... Jun=Nhy67ujm,
    Aw thanks a lot! Now I have to change my passwords! @snoofle said:
    The only caveat is I'm fucked if I don't have a qwerty keyboard.
    Or if there's an production emergency at work, and you're nowhere near a computer or keyboard, and you call up your boss over the phone, and he asks for the password so he can log in and save the day, and you're just on the other side of the phone in the middle of nowhere saying "uuuuhhhh" as you try to visualize what the keyboard looks like while twitching your fingers in an attempt reverse the muscle memory. *

    * true story

    You noob, always have on you a life size print of your keyboard



  • @serguey123 said:

    @Xyro said:

    @snoofle said:
    For example, Jan=Zaq12wsx,Feb=Xsw23edc, Mar=Cde34rfv, ... Jun=Nhy67ujm,
    Aw thanks a lot! Now I have to change my passwords! @snoofle said:
    The only caveat is I'm fucked if I don't have a qwerty keyboard.
    Or if there's an production emergency at work, and you're nowhere near a computer or keyboard, and you call up your boss over the phone, and he asks for the password so he can log in and save the day, and you're just on the other side of the phone in the middle of nowhere saying "uuuuhhhh" as you try to visualize what the keyboard looks like while twitching your fingers in an attempt reverse the muscle memory. *

    * true story

    You noob, always have on you a life size print of your keyboard

    Am I the only one that has it tattooed on my chest?


  • @blakeyrat said:

    Hey I just found out my workplace implemented a "three strikes, you're (locked) out" policy on our passwords! The hard way!

    Good thing I brought my own laptop to work today.

    They don't use a timer or something? Can't you talk to the Helpdesk people? Gods! and I though my workplace was hard on security

    Well at least you can enter electronic equipment to the building.  My first week here I did nothing because my account was not done yet and there was nothing I could do about it



  • @serguey123 said:

    They don't use a timer or something? Can't you talk to the Helpdesk people? Gods! and I though my workplace was hard on security

    This is undoubtedly the work of the Lotus Notes-using Frenchies who own our company now. I've never had this problem before... lock me out after 3 attempts as I come back to lunch on the day I changed my password? That's:

    1) Typing the old password from muscle-memory
    2) Typing an incorrect version of the new password (did I use a C or K when spelling that word?)
    3) Typing the same incorrect version, in case 2) was just a typo
    4) Looking-up the correct version and typing it-- oh wait already locked-out!

    Stupid French.

    And yes I called them. Nobody answered. Left a voicemail. Still waiting for a call back.



  • @Sutherlands said:

    @serguey123 said:

    @Xyro said:

    @snoofle said:
    For example, Jan=Zaq12wsx,Feb=Xsw23edc, Mar=Cde34rfv, ... Jun=Nhy67ujm,
    Aw thanks a lot! Now I have to change my passwords! @snoofle said:
    The only caveat is I'm fucked if I don't have a qwerty keyboard.
    Or if there's an production emergency at work, and you're nowhere near a computer or keyboard, and you call up your boss over the phone, and he asks for the password so he can log in and save the day, and you're just on the other side of the phone in the middle of nowhere saying "uuuuhhhh" as you try to visualize what the keyboard looks like while twitching your fingers in an attempt reverse the muscle memory. *

    * true story

    You noob, always have on you a life size print of your keyboard

    Am I the only one that has it tattooed on my chest?

    It is impractical for me, my man boobs will hide from sight, also I have a lot of hair and an irrational fear of needles



  • @serguey123 said:

    my man boobs

    @serguey123 said:

    I have a lot of hair

    Thanks for the visual... Does anybody know where you can buy some brain bleach?



  • @C-Octothorpe said:

    @serguey123 said:

    my man boobs

    @serguey123 said:

    I have a lot of hair

    Thanks for the visual... Does anybody know where you can buy some brain bleach?

    Ohh you are welcome, for your viewing pleasure please peruse this http://www.marvelousmanboobs.com/

    When I saw the picture of the linux user my first reaction was "wtf is a picture of me doing there" but then I realized my pc was not like the one in the photo



  • Ok...  Now why would you be perusing a site called Marvelous Man Boobs?  I mean, curiosity sometimes gets the best of us, but holy hell dude...

    PS - I do appreciate your honesty with the URL title and I realize you could have put "reallyhotchicks.com" in some really sick, sweaty man boob version of rick rolling...



  • @C-Octothorpe said:

    Ok...  Now why would you be perusing a site called Marvelous Man Boobs?  I mean, curiosity sometimes gets the best of us, but holy hell dude...

    PS - I do appreciate your honesty with the URL title and I realize you could have put "reallyhotchicks.com" in some really sick, sweaty man boob version of rick rolling...

    Ok, first, thanks, I could say that I search it for the whole purpose of showing it to you but using my honesty I read The Oatmeal, I got it from there



  • @blakeyrat said:

    4) Looking-up the correct version
    By reapplying your secret algorithm to your secret entropy source, right?



  • @Zecc said:

    @blakeyrat said:

    4) Looking-up the correct version
    By reapplying your secret algorithm to your secret entropy source, right?

    Nah, it's on a post-it note in my wallet.



  • @Zecc said:

    @blakeyrat said:
    4) Looking-up the correct version
    By reapplying your secret algorithm to your secret entropy source, right?
     

    If the algorithm was reading and the entropy source a post-it.

     

    EDIT: damn, just a little to late for this to be a prediction.



  • Ours is currently 3-monthly, but no repeats for, uh... 64 years.



  • @Sutherlands said:

    Am I the only one that has it tattooed on my chest?

    Which way up?



  • @blakeyrat said:

    @serguey123 said:
    They don't use a timer or something? Can't you talk to the Helpdesk people? Gods! and I though my workplace was hard on security

    This is undoubtedly the work of the Lotus Notes-using Frenchies who own our company now. I've never had this problem before... lock me out after 3 attempts as I come back to lunch on the day I changed my password? That's:

    1) Typing the old password from muscle-memory
    2) Typing an incorrect version of the new password (did I use a C or K when spelling that word?)
    3) Typing the same incorrect version, in case 2) was just a typo
    4) Looking-up the correct version and typing it-- oh wait already locked-out!

    Stupid French.

    And yes I called them. Nobody answered. Left a voicemail. Still waiting for a call back.

    That would be why, unless I know for sure the system allows more than 3 attempts, I skip step 3 and go directly to looking up* the correct password on the third try, and type it carefully. Of course there's still the possibility that I typo there and am screwed, but the chance is pretty small.

    *in a password manager on my home PC or cell phone.


  • For similar reasons, I've adopted the policy of only ever changing my password first thing on a Monday morning. That gives me enough time to learn it properly before the weekend.

    I've only had to resort to writing it down once, when my previous password expired the week before I went on annual leave for a month and a bit and I didn't trust myself to remember it over the break. As it turned out I had to log in from home a few times over the course of my leave (yes, I know that's TRWTF - but it was better than the previous year's holiday in which I had to log on and at minimum do some monitoring every day) and that was enough to keep it in memory.



  • @C-Octothorpe said:

    @serguey123 said:

    my man boobs

    @serguey123 said:

    I have a lot of hair

    Thanks for the visual... Does anybody know where you can buy some brain bleach?

    aye. you get it and the same place which sells alcoholics.



  • As per company policy, passwords and biometric features must be changed monthly.



  • @Shortjob said:

    aye. you get it and the same place which sells alcoholics.

     Selling alcoholics has two major problems:

         1) Who would want to buy one?
         2) Slavery is illegal in most places...



  • @blakeyrat said:

    Hey I just found out my workplace implemented a "three strikes, you're (locked) out" policy on our passwords! The hard way!

    Good thing I brought my own laptop to work today.

     *sigh* So did mine. For all the 70.000 users. Healthcare workers with a high level of stress, a lot of whom works part time.

    We still have somthing like 9 semi-independent infrastructures from before the mergers because we don't get the fucking money to consolidate. One hospital alone had 4 different active directories. The three old ones linked to the new one. When the users change their pw in one of the three old domains it's changed in the new domain but not in the other two old domains.

     Password expiry is of cource independent across the domains and some key services have been migrated but by no means all.

    So the users work at one location, and change the PW there, then go to another location, finds the network pw there has not changed, but that the exchange pw has changed.

    This is effiency in action. The suits can't understand why we're not seeing economic results from the merges yet...



  • @Xyro said:

    @snoofle said:
    For example, Jan=Zaq12wsx,Feb=Xsw23edc, Mar=Cde34rfv, ... Jun=Nhy67ujm,

    Aw thanks a lot! Now I have to change my passwords   That's amazing!  I've got the same combination on my luggage!

    FTFY!

     



  • @blakeyrat said:

    @Zecc said:

    @blakeyrat said:

    4) Looking-up the correct version
    By reapplying your secret algorithm to your secret entropy source, right?

    Nah, it's on a post-it note in my wallet.

    As recommended by Bruce Schneier, with a particularly great quote:

    [quote user="http://www.schneier.com/blog/archives/2005/06/write_down_your.html"] 

    We're all good at securing small pieces of paper. I recommend that
    people write their passwords down on a small piece of paper, and keep
    it with their other valuable small pieces of paper: in their wallet.

    [/quote] 



  • @DaveK said:

    As recommended by Bruce Schneier, with a particularly great quote:

    [quote user="http://www.schneier.com/blog/archives/2005/06/write_down_your.html"]

    We're all good at securing small pieces of paper. I recommend that
    people write their passwords down on a small piece of paper, and keep
    it with their other valuable small pieces of paper: in their wallet.

    [/quote]

    Great minds think alike!

    I figure as long as I don't write down what computer/network the password is *for*, then the password on its own isn't very useful information.

    I don't put in my webmail password, which is the gateway to all my non-work-related passwords, because it would probably be not-too-hard to find the address of my webmail from the contents of my wallet.



  • When I need to write down passwords or PINs, I also write down a bunch of bogus passwords/PINs next to them. I'll be able to recognize the right one in a crowd.



  • @blakeyrat said:

    @DaveK said:

    As recommended by Bruce Schneier, with a particularly great quote:

    [quote user="http://www.schneier.com/blog/archives/2005/06/write_down_your.html"]

    We're all good at securing small pieces of paper. I recommend that
    people write their passwords down on a small piece of paper, and keep
    it with their other valuable small pieces of paper: in their wallet.

    Great minds think alike!

    I figure as long as I don't write down what computer/network the password is *for*, then the password on its own isn't very useful information.

    I don't put in my webmail password, which is the gateway to all my non-work-related passwords, because it would probably be not-too-hard to find the address of my webmail from the contents of my wallet.

    [/quote] If I was worried about someone finding my wallet and figuring out how to use my password, I'd not write down quite the actual password itself, but some easily-remembered variant, like with adding one to all the letters or maybe digits, or maybe omitting a secret prefix or suffix that I'd keep only in my head.

    When I was a kid and cashpoint cards first came out, my dad taught me a trick for securely keeping a note of your PIN alongside or even on your card.  You choose a memorable ten-letter word with no repeated letters in it, assign the digits 0 to 9 to the characters in the word, and translate your PIN to a four-letter word.  Without knowing the keyword, which you don't ever write down, nobody's going to guess your numbers.  My first introduction to the world of crypto and the division of security between algorithm and key!



  • @Xyro said:

    When I need to write down passwords or PINs, I also write down a bunch of bogus passwords/PINs next to them. I'll be able to recognize the right one in a crowd.
    Interesting idea, as long as the accounts lock after enough tries. Why didn't I think of that?

    @DaveK said:

    When I was a kid and cashpoint cards first came out, my dad taught me a
    trick for securely keeping a note of your PIN alongside or even on your
    card.  You choose a memorable ten-letter word with no repeated letters
    in it, assign the digits 0 to 9 to the characters in the word, and
    translate your PIN to a four-letter word.  Without knowing the keyword,
    which you don't ever write down, nobody's going to guess your numbers. 
    My first introduction to the world of crypto and the division of
    security between algorithm and key!
    Cute story. Your father sounds like a man with a good head on his shoulders.



  • @Xyro said:

    When I need to write down passwords or PINs, I also write down a bunch of bogus passwords/PINs next to them. I'll be able to recognize the right one in a crowd because of a handy high lighter I used.

    FTFY



  • @Zecc said:

    @Xyro said:

    When I need to write down passwords or PINs, I also write down a bunch of bogus passwords/PINs next to them. I'll be able to recognize the right one in a crowd.
    Interesting idea, as long as the accounts lock after enough tries. Why didn't I think of that?

    @DaveK said:

    When I was a kid and cashpoint cards first came out, my dad taught me a
    trick for securely keeping a note of your PIN alongside or even on your
    card.  You choose a memorable ten-letter word with no repeated letters
    in it, assign the digits 0 to 9 to the characters in the word, and
    translate your PIN to a four-letter word.  Without knowing the keyword,
    which you don't ever write down, nobody's going to guess your numbers. 
    My first introduction to the world of crypto and the division of
    security between algorithm and key!
    Cute story. Your father sounds like a man with a good head on his shoulders.

     

    Back at least fifty years ago, that's how mom-and-pop merchants marked their cost for things on the price tags.  I remember a children's (!) book about a kid who figured out the code for some store in his neighborhood.   My grandfather had the conveniently ten-unrepeated-letter name of "JIM SHEPARD", so he did the same in his gunsmith shop.

    The "bunch of bogus passwords surrounding the real one" approach can be applied in other areas too.  I once came up with the idea of building a set of windchimes out of an assortment of keys, with the spare key that actually opened the door of the house findable because it would be "the one opposite the brass key with the round head" or some other association-by-proximity rule.

     



  • @da Doctah said:

    The "bunch of bogus passwords surrounding the real one" approach can be applied in other areas too.  I once came up with the idea of building a set of windchimes out of an assortment of keys, with the spare key that actually opened the door of the house findable because it would be "the one opposite the brass key with the round head" or some other association-by-proximity rule.
     

    I'm not sure if these things count as "something you know" or "security by obscurity"



  • @dhromed said:

    @da Doctah said:

    The "bunch of bogus passwords surrounding the real one" approach can be applied in other areas too.  I once came up with the idea of building a set of windchimes out of an assortment of keys, with the spare key that actually opened the door of the house findable because it would be "the one opposite the brass key with the round head" or some other association-by-proximity rule.
     

    I'm not sure if these things count as "something you know" or "security by obscurity"

    I was going to rant a bit about how obscurity has an overly bad rep as a means of security, but I got distracted by wondering why we still don't get combination locks on front doors. Any thoughts?



  • @intertravel said:

    I got distracted by wondering why we still don't get combination locks on front doors. Any thoughts?
     

    Because you'd get post-its on doors.



  • @intertravel said:

    I got distracted by wondering why we still don't get combination locks on front doors. Any thoughts?

    ... you could just buy one and install it. What are you, an infant? Adult human beings have the ability to modify their environment to their liking.

    You can even get nifty remote-entry deadlocks that work like the remote-entry system on your car, you just click the keychain remote from 20 feet away, and walk in the door.



  •  @snoofle said:

    This place is undergoing the changeover from wild-and-free-startup-3-years-in to established-corporation-with-procedures-for-everything.

    I just this minute received email regarding a conversation amongst C-level executives, the head of the DBAs and the head of security, regarding password complexity and expiration periods.

    The complexity rules are standard fare, so I won't bore you with them.

    The expiration debate ranged from 3-months-is-too-long; to so-is-two-months; so ok-let's-make-them-expire-monthly.

    So now our PC, linux (they don't use YP so each box has to be set independently), source control, etc all need to be a) different, b) changed monthly, with no repeats for 2 years.

    headdesk

     

     Easy. Here's your algorithm:

    password for pc month one

    password for vc month three

    etc.

    Why people don't use spaces and words in passwords is beyond me. It's like they think a space character ruins 'teh integritee' of the password or something when in reality it just makes for an virtually impossible dictionary attack. It's really weird. Well, that and some services don't allow them, I guess...

     



  • @Power Troll said:

    Well, that and some services don't allow them, I guess...

    My bank's OLB site doesn't allow special characters, or spaces, and limits passwords to 15 characters...  Now how's that for reducing the password space for potential hackers.

    Oh, and the site gives different responses when you got a valid username but the wrong password, as opposed to both being wrong.  This would make it hella easy for the average monkey who knows how to use grease monkey to perform a dictionary attack on usernames and reverse brute force the bitch... 

    Hmm, I think I have an account to close... I'll be right back.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.