Search
Forum Home | Login
greywar
greywar
Join Date 05/2003
+4

Long Passwords = Less Security

How crappy is your IT?

December 28, 2006 12:00:32 PM from JoeUser ForumsJoeUser Forums

     For the folks who don't know : I have moved job sectors and am back in government services again. Specifically I am maintaining the TLA stacks for the Army's NIPR (just read that as internet) connected istallations. As such I have many accounts (somewhere around 100) on many different computer systems. The Army has recently moved to a new password system that requires a 15 character password with 2 uppercase letters, 2 lower case letters, 2 numbers, and 2 special characters included. Further more most of these accounts require the passwords to be auto-generated and do not allow the user to change or set their own passwords. End result? 100 15 character passwords that are written down in the top drawer of my (and every other employee here) desk.

     Many of my co-workers actually maintain digital copies of these passwords in Excel as well and even email this back to their non-work email accounts for occasional telecommutes via VPN tunnel. In short the Army has garnered far more security vulnerabilities with this policy than it closed. Previously most accounts followed an 8 character rule and allowed users to set their own passwords. This usually meant that most accounts for one user used the same or similar passwords. If you got that one password you could do a lot of damage but the likelihood of compromise was greatly decreased since most users can remember one 8 character password.

     Now every cleaning-lady we have in here after hours automatically has access to thousands of individual accounts on critical DOD hardware. Brilliant.

Locked Post
Search this post
Advanced Search
Subscription Options
Reason for Karma (Optional)
Successfully updated karma reason!
2 Pages1 2 
greywar
Bichur
Join Date 10/2003
+253
Reply #1 December 28, 2006 12:10:42 PM
from WinCustomize ForumsWinCustomize Forums
Military Intelligence

n. - oxymoron -- (conjoining contradictory terms (as in `deafening silence'))

(I did a half-life)
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
greywar
Join Date 05/2003
+4
Reply #2 December 28, 2006 12:24:05 PM
from JoeUser ForumsJoeUser Forums
Good lord that the joke never gets old... wait thats a lie, it was old for me a long long time ago....
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
crimson
Join Date 12/2003
+3
Reply #3 December 28, 2006 12:31:50 PM
from JoeUser ForumsJoeUser Forums
We had 4 separate systems that changed passwords quarterly, each one month after the other. Uppercase, lowercase, 1 numeral, and 1 special character had to be used. If you used the wrong password more than 3 times in the same day, it would have to be reset by an outside IT group. It was awful, but we were allowed to make a choice. But that choice had to fall under certain patterns. You could never reuse the same word, the same number, the same special character in the same pattern again. You couldn't use the same pattern on the 4 separate systems.

It made me dizzy just writing this out, but the reality was, after months of it, you would never have to write down your passwords. It would just come automatically. Because you used your passwords on an almost daily basis, you never had to actually think about the password, your fingers would just 'remember'. The only time it became a problem is if you went on holidays. Then you were screwed.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
greywar
Join Date 05/2003
+4
Reply #4 December 28, 2006 12:36:50 PM
from JoeUser ForumsJoeUser Forums

It made me dizzy just writing this out, but the reality was, after months of it, you would never have to write down your passwords. It would just come automatically. Because you used your passwords on an almost daily basis, you never had to actually think about the password, your fingers would just 'remember'. The only time it became a problem is if you went on holidays.
That is true of the one password that I uses hundreds of times a day but totally untrue of the ones that don't see daily use. Once you go beyond 2 or 3 passwords even daily use won't help your fingers anymore especially when you dont get to choose the passwords at all.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Fuzzy Logic
Join Date 05/2002
+493
Reply #5 December 28, 2006 1:02:17 PM
from WinCustomize ForumsWinCustomize Forums

Long passwords can be good - if it is a phrase or saying you can remember. The size can be limitless and it never needs to be written down.

Some password policies are just plain stupid and asking for security breaches. Passwords which are impossible to remember are the complete opposite of what is required.

We don't have a policy as such, but the folks here are too predictable. I can guess most employees' passwords in just a few attempts...

Reason for Karma (Optional)
Successfully updated karma reason!
greywar
lifehappens
Join Date 07/2004
+5
Reply #6 December 28, 2006 1:07:14 PM
from JoeUser ForumsJoeUser Forums
I agree with you. I have multiple emails, and various accounts that seem to have all decided to upgrade the security. The upper/lower/number/special characters are a pain in the ass. It's not too bad, but only becuase I have a formula that I use to remember the passwords...

anything that is randomly generated.....ends up getting written down. sigh.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Jafo
Join Date 03/2001
+1830 sdemployee
Reply #7 December 28, 2006 6:31:43 PM
from WinCustomize ForumsWinCustomize Forums

Sounds like it's time for finger-print readers....

 

Reason for Karma (Optional)
Successfully updated karma reason!
greywar
seldomseen
Join Date 09/2002
+28
Reply #8 December 28, 2006 7:23:41 PM
from WinCustomize ForumsWinCustomize Forums
retina-scanners? Saw 'em at COMDEX in Las Vegas a few yrs. ago and thought they were pretty cool...
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
MasonM
Join Date 01/2004
+45
Reply #9 December 28, 2006 7:46:01 PM
from JoeUser ForumsJoeUser Forums
Biometrics would solve the problem and avoid a bunch of written passwords.

They have the right idea as far as password construction goes, I use a similar formula for my critical passwords, but I still create a password pattern that is easy for me to remember without having to write them down.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Sturgee
Join Date 01/2005
0
Reply #10 December 28, 2006 9:30:17 PM
from JoeUser ForumsJoeUser Forums
I'm lucky in that I'm only using 4 systems, and 3 of the 4 have the same user ID. Not sure why they decided to change it for the 4th, but alas, so sayeth the government lords. I'm able to have the same password, that I choose, for 3 of the 4, so that isn't too bad either.

But, I ALSO have to log into about 10 different online databases, analysis tools, and community pages. And each of these, because they are created/maintained by some different entity, have different password requirements. Like you, the 2 or 3 that I use daily are no big problem, but the others that I only use occassionally, are a pain in the ass.

So, like you, I have a little cheat sheet with all of my passwords on it. I hate having to do it, but after I got locked out of a couple of the tools, and had to call "somebody" to get it unf*^ked, I have resorted to weak security.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Daiwa
Join Date 07/2001
+351
Reply #11 December 29, 2006 2:10:31 AM
from WinCustomize ForumsWinCustomize Forums
I wonder if having a "multiple-password" system would be any more secure. It would certainly be more operator-friendly. I use and can remember 3-4 8-character passwords fairly easily - I usually base them on something memorable I've read or some bit of remote personal history nobody else would be likely to know or guess, often using differing sequences of a set of 4-character blocks. It would be a little bit of a pain, but having to input 2 or 3 different passwords in succession would make the likelihood of compromise pretty low, I would think, since they wouldn't need to be written down anywhere. I'd think you could use the same set of passwords for multiple systems fairly securely if that were the case.

Then again, fingerprint or iris-scan technology is getting to be pretty inexpensive. But, I've always wondered how a system is authorized to recognize the "first" one - the "keys to the keys" problem.

My brain is starting to hurt so I'll quit now.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Gideon MacLeish
Join Date 06/2004
+1
Reply #12 December 29, 2006 6:05:36 AM
from JoeUser ForumsJoeUser Forums
I've never understood the mentality that auto generated passwords are more secure. While certain people have suggested keeping PW's in a folder with an inconspicuous name, if they're written down anywhere, they can be easily compromised.

Bottom line: if someone really, REALLY wants into your somputer, they're getting in. The only way to make the Internet more secure would be to make it less convenient.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Dr Guy
Join Date 09/2004
+129
Reply #13 December 29, 2006 12:49:33 PM
from JoeUser ForumsJoeUser Forums

We have the same thing at my work (not hundreds thankfully, but about a dozen).  We are forced to change them at 30, 45, 60 and 90 days!  And none talk to the others, so yes, I have to keep them written down! (just not taped to the bottom of my KB).  They think they are being so secure!  No, just jacking off and smiling that they are APA compliant!  In point of fact, they are far less secure than if they did not have an expiration policy!

Reason for Karma (Optional)
Successfully updated karma reason!
greywar
SirSmiley
Join Date 06/2005
+38
Reply #14 December 29, 2006 1:40:17 PM
from WinCustomize ForumsWinCustomize Forums
This so reminds me of the "bosco" thing from Seinfeld.

I really wonder why in a DOD facility you're only using passwords alone and not key files or something else? I'd like to believe that it's because the data at your disposal isn't deemed as highly sensitive but, I'm not that naive.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
greywar
Join Date 05/2003
+4
Reply #15 December 29, 2006 2:07:03 PM
from JoeUser ForumsJoeUser Forums
really wonder why in a DOD facility you're only using passwords alone and not key files or something else? I'd like to believe that it's because the data at your disposal isn't deemed as highly sensitive but, I'm not that naive.
Actually to access the source machine you need to have a CAC, password, and a physically separate RSA key generator. Not so for many of the remote machines though.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
unclerob
Join Date 08/2006
+40
Reply #16 December 29, 2006 6:40:03 PM
from WinCustomize ForumsWinCustomize Forums
I for one am surprised that biometrics aren't in place & used in a military facility that holds the type of confidential data that you're talking about. Technically long passwords are great for security, the breakdown is when you have people writing them down on paper, saving them in excel files and emailing themselves this account information.

We've been using biometric scanners at our work for almost a couple years already and I personally love it. My latest machine is an IBM Stinkpad T43 and it has a biometric fingerprint scanner in the lower right corner of the keyboard area. Once you've enrolled your fingerprints on your machine (you can do just 1 or all of your fingers on both hands), logging into your machine or on to a network domain is a snap (or swipe as it were). You can even export the fingerprint profiles to another machine so that you don't have to go through the fingerprint enrollment process on every machine you use.

I think it works great, it's quick and very practical.

I heard someone mention retina scanners, don't know where they would fit that on my laptop or desktop machines - I wouldn't be crazy about a usb device with a cable that I'd have to lug around with my machine either.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
nobs
Join Date 01/0001
+13
Reply #17 December 29, 2006 8:08:27 PM
from JoeUser ForumsJoeUser Forums
True bureaucracy in action.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
greywar
Join Date 01/0001
+13
Reply #18 December 30, 2006 4:02:22 AM
from JoeUser ForumsJoeUser Forums
I am in arizona...
WTFRU?

Fuller
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Don
Join Date 01/0001
+13
Reply #19 December 31, 2006 1:02:50 PM
from JoeUser ForumsJoeUser Forums
Randomly generated passwords, of any size and pattern is just plain bad news. Keeping the same size and pattern requirements would be smart, but allowing the user to generate the phrase or word is the only way to go. The next step is to train a person on how to generate a password using those requirements so that they remember the password. If the passwords are stored in your desk, your security team is not doing thier job. And if the "cleaning" crew is peaking at them, both the security team and the cleaning crew is not doing their job right!

Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Skinhit
Join Date 11/2004
+516
Reply #20 January 2, 2007 12:21:57 AM
from WinCustomize ForumsWinCustomize Forums
"15 character passwords that are written down in the top drawer of my (and every other employee here) desk. Now every cleaning-lady we have in here after hours automatically has access to thousands of individual accounts on critical DOD hardware."

come on...with all due respect you mean to tell me that you cant memorize 15 characters? Military Intelligence! OK!
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Skinhit
Join Date 11/2004
+516
Reply #21 January 2, 2007 12:22:49 AM
from WinCustomize ForumsWinCustomize Forums
The next step is to train a person on how to generate a password using those requirements so that they remember the password.


or maybe the next step would be hiring people who can remember 15 character passwords...lol
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
infideldawg
Join Date 10/2002
0
Reply #22 January 2, 2007 1:37:26 AM
from WinCustomize ForumsWinCustomize Forums
I feel your pain, greywar. From your avatar, we may very well be in the same place (igotcha).

Don't forget that you also can't use any of your last 25 15-letter passwords, so you alxo have to keep a complete record of them. Not just army though...it's DoD-wide.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Stephen
Join Date 01/0001
+13
Reply #23 January 2, 2007 1:44:08 AM
from JoeUser ForumsJoeUser Forums
Great!
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
momijiki
Join Date 01/2004
+52
Reply #24 January 2, 2007 6:03:48 AM
from JoeUser ForumsJoeUser Forums
"15 character passwords that are written down in the top drawer of my (and every other employee here) desk. Now every cleaning-lady we have in here after hours automatically has access to thousands of individual accounts on critical DOD hardware."

come on...with all due respect you mean to tell me that you cant memorize 15 characters? Military Intelligence! OK!


Skinhit, I can't tell if you are trying to be sarcastic, but just in case your simply being an ass, you did read the part where he said he has to deal with 100 different 15 character passwords?

And because I seem to have left my funnybone back in 2006, I'm going to add to the comment that your attempt at sarcasm (if that bit of lameness was an attempt) fell short of the mark, or looking at the criteria you seem to deem needed to work for DoD, you are more than qualified to apply.
Reason for Karma (Optional)
Successfully updated karma reason!
greywar
Jafo
Join Date 03/2001
+1830 sdemployee
Reply #25 January 2, 2007 8:28:38 AM
from WinCustomize ForumsWinCustomize Forums

We've been using biometric scanners at our work for almost a couple years already and I personally love it.

My uncle had a business providing a database/info of credit-worthiness of people....this is years ago, before the upsurge/advent of bankcards/credit cards, etc.

He eventually went from paper-file to computer...back around 1973.....needless to say it wasn't some 'PC'...but a monsterous bugger from Honeywell ...magnetic tape...own room....positive ventilation...no sprinklers....but it DID have a fingerprint [or maybe palm-print] reader to access the room.

Ain't nothin' new in the world....

Reason for Karma (Optional)
Successfully updated karma reason!
2 Pages1 2 
View all recent posts
Mark all posts as read Delete cookies created by the forum Return to Top
Stardock Forums v        Server Load Time:   Page Render Time:
About us | Contacts | Privacy Statement | Register
©1995-2025 Stardock Entertainment. Galactic Civilizations is a registered trademark of Stardock Entertainment. Steam and the Steam logo are trademarks and/or registered trademarks of Valve Corporation in the U.S. and/or other countries. Bank Gothic is a trademark of MyFonts and may be registered in certain jurisdictions. All rights reserved.