<RANT MODE ON> IT password policies

jwhipple

Member
Jul 10, 2010
10
0
0
Visit site
Is it just me or does anyone think that some of the ridiculous password policies that IT departments impose on their networks has really gotten out of hand?

I can COMPLETELY understand the need for security, but in my mind, the need for a 12+ length alpha-numeric-special character password with no duplicate characters and at least 2 capital letters and 2 special characters opens the door for a whole new security risk!

If someone has to remember 10 different passwords for different applications, none of which can be the same, expire every 30 days, can't be the same as any other password used in the past 16 months, and fall into the description I listed above now introduces the need to potentially have to write the passwords all down - leaving the passwords somewhere that someone might find them, whether it be intentional or accidental.

Fingerprint readers are the way to go I think!

Anyone else have any thoughts on the matter?
 
Last edited:

Menno

Coffee Addict
Nov 9, 2009
659
76
0
Visit site
the shorter the password, the easier it is to hack. I agree it can be a little crazy, but that's the price you pay for access to information outside of an area you can only access at certain times of the day.

my email password is 13 char long. but that's only because I was hacked once and don't want to make it easy for them a second time :p
 

aquaboy1976

Active member
Jul 4, 2010
41
0
0
Visit site
I understand the need for security as well, but couldn't they lighten up on the restriction a little bit? I'm no security expert, but is it really necessary to change the password every 30 days with such complex passwords?
 
Apr 26, 2010
4,335
258
83
Visit site
hey my buddy has a storm2 and the BES security slows it down to a crawl.
I am the one that emailed the podcast a few times because of my brother's company IT dept refuses to support android....until the CFO stepped in.
 

88 FLUX

Well-known member
Apr 29, 2010
665
35
0
Visit site
I fully support the use of complex passwords and password expiration for various reasons. But I may also be biased due to the fact that I'm an IT administrator.
 

jwhipple

Member
Jul 10, 2010
10
0
0
Visit site
I fully support the use of complex passwords and password expiration for various reasons. But I may also be biased due to the fact that I'm an IT administrator.

So you would rather have these ultra-strong password requirements and make it that much easier to figure out a password because someone WROTE THEM DOWN? You might as well do away with the password requirement then.
 

jwhipple

Member
Jul 10, 2010
10
0
0
Visit site
the shorter the password, the easier it is to hack. I agree it can be a little crazy, but that's the price you pay for access to information outside of an area you can only access at certain times of the day.

my email password is 13 char long. but that's only because I was hacked once and don't want to make it easy for them a second time :p

And yet, the stronger the password is, the easier it is to hack - simply because you don't need to hack it - you just look at the paper that the password is written on and type it in.
 

jdbower

Well-known member
Jul 2, 2010
615
59
0
Visit site
And yet, the stronger the password is, the easier it is to hack - simply because you don't need to hack it - you just look at the paper that the password is written on and type it in.

A couple of issues with that:

1. If you leave your password on your desk where I work you'll find that pretty quickly it doesn't work anymore because if IT sees it they'll reset your password. Do it often enough and you won't work there anymore.

2. I'm not concerned about people with building access getting into my system, I'm concerned about you people on the interwebs breaking in.

3. If I have physical access to your system, I don't need your password :)

Try using a secure password manager. Really, it's not that hard to memorize a few strong passwords and then just vary them a bit as you need to cycle them out.
 

jwhipple

Member
Jul 10, 2010
10
0
0
Visit site
It only takes 1 occasion of 1 person leaving their password somewhere it can be found for a whole hell of a lot of damage to be done.
 

jdbower

Well-known member
Jul 2, 2010
615
59
0
Visit site
And it only takes one guy with a password that can be cracked by a dictionary attack to do a hell of a lot of damage. It's all about whether you'd rather protect yourself from people inside your building and on your security cameras or from people on the Internet and logged in your firewall.
 

anon(40376)

Well-known member
Jul 15, 2010
1,636
13
0
Visit site
I work for the Government so I not only have five or six different passwords to remember. But to enter the building I need a card to flash past an electronic device, then the same card to go past the secured lobby into the remainder of the building. (I could have them buzz me into the lobby, but faster to scan the card.) When I pull mine or the company vehicle into the back past the electronic gate, I need to scan the card again.

If I go to a larger government facility with a metal detector and a rent a cop, I need to scan my card so I can pass through the metal detector since I am sure to set it off, but I also have to flash ID on the way through.

I won't even discuss what happens if I have to fly to somewhere, and if I have to visit Washington DC.

I believe it might be easier just to have my forehead programmed.
 

88 FLUX

Well-known member
Apr 29, 2010
665
35
0
Visit site
So you would rather have these ultra-strong password requirements and make it that much easier to figure out a password because someone WROTE THEM DOWN? You might as well do away with the password requirement then.

And yet, the stronger the password is, the easier it is to hack - simply because you don't need to hack it - you just look at the paper that the password is written on and type it in.

There are also company policies in place to prohibit the writing down of passwords in a notebook or other such item. Every password of mine that I store is in an encrypted database and/or my BlackBerry's password keeper which is protected by a single complex password.

And yes, I know that having a signed policy stating "I will not write my passwords in a notebook" isn't going to stop people from doing it. But it does two major things: #1, it passes the blame onto them if something goes wrong instead of me. #2, it puts those employees in violation of company policy which causes them to have to deal with the repercussions (as mean as that sounds).