<RANT MODE ON> IT password policies
Is it just me or does anyone think that some of the ridiculous password policies that IT departments impose on their networks has really gotten out of hand?
I can COMPLETELY understand the need for security, but in my mind, the need for a 12+ length alpha-numeric-special character password with no duplicate characters and at least 2 capital letters and 2 special characters opens the door for a whole new security risk!
If someone has to remember 10 different passwords for different applications, none of which can be the same, expire every 30 days, can't be the same as any other password used in the past 16 months, and fall into the description I listed above now introduces the need to potentially have to write the passwords all down - leaving the passwords somewhere that someone might find them, whether it be intentional or accidental.
Fingerprint readers are the way to go I think!
Anyone else have any thoughts on the matter?
- 07-31-2010, 07:40 PM #2
the shorter the password, the easier it is to hack. I agree it can be a little crazy, but that's the price you pay for access to information outside of an area you can only access at certain times of the day.
my email password is 13 char long. but that's only because I was hacked once and don't want to make it easy for them a second time :P
- 07-31-2010, 10:59 PM #3
- 08-01-2010, 10:00 PM #4
hey my buddy has a storm2 and the BES security slows it down to a crawl.
I am the one that emailed the podcast a few times because of my brother's company IT dept refuses to support android....until the CFO stepped in.
- 08-02-2010, 02:38 PM #5
- 08-02-2010, 06:40 PM #6
- 08-02-2010, 07:08 PM #9
1. If you leave your password on your desk where I work you'll find that pretty quickly it doesn't work anymore because if IT sees it they'll reset your password. Do it often enough and you won't work there anymore.
2. I'm not concerned about people with building access getting into my system, I'm concerned about you people on the interwebs breaking in.
3. If I have physical access to your system, I don't need your password
Try using a secure password manager. Really, it's not that hard to memorize a few strong passwords and then just vary them a bit as you need to cycle them out.
- 08-02-2010, 07:15 PM #11
And it only takes one guy with a password that can be cracked by a dictionary attack to do a hell of a lot of damage. It's all about whether you'd rather protect yourself from people inside your building and on your security cameras or from people on the Internet and logged in your firewall.
- 08-02-2010, 07:53 PM #12
- 263 Posts
I work for the Government so I not only have five or six different passwords to remember. But to enter the building I need a card to flash past an electronic device, then the same card to go past the secured lobby into the remainder of the building. (I could have them buzz me into the lobby, but faster to scan the card.) When I pull mine or the company vehicle into the back past the electronic gate, I need to scan the card again.
If I go to a larger government facility with a metal detector and a rent a cop, I need to scan my card so I can pass through the metal detector since I am sure to set it off, but I also have to flash ID on the way through.
I won't even discuss what happens if I have to fly to somewhere, and if I have to visit Washington DC.
I believe it might be easier just to have my forehead programmed.
- 08-03-2010, 12:22 PM #13
And yes, I know that having a signed policy stating "I will not write my passwords in a notebook" isn't going to stop people from doing it. But it does two major things: #1, it passes the blame onto them if something goes wrong instead of me. #2, it puts those employees in violation of company policy which causes them to have to deal with the repercussions (as mean as that sounds).