<RANT MODE ON> IT password policies

[jwhipple]

Is it just me or does anyone think that some of the ridiculous password policies that IT departments impose on their networks has really gotten out of hand?

I can COMPLETELY understand the need for security, but in my mind, the need for a 12+ length alpha-numeric-special character password with no duplicate characters and at least 2 capital letters and 2 special characters opens the door for a whole new security risk!

If someone has to remember 10 different passwords for different applications, none of which can be the same, expire every 30 days, can't be the same as any other password used in the past 16 months, and fall into the description I listed above now introduces the need to potentially have to write the passwords all down - leaving the passwords somewhere that someone might find them, whether it be intentional or accidental.

Fingerprint readers are the way to go I think!

Anyone else have any thoughts on the matter?

 

[Menno]

the shorter the password, the easier it is to hack. I agree it can be a little crazy, but that's the price you pay for access to information outside of an area you can only access at certain times of the day.

my email password is 13 char long. but that's only because I was hacked once and don't want to make it easy for them a second time

 

[aquaboy1976]

I understand the need for security as well, but couldn't they lighten up on the restriction a little bit? I'm no security expert, but is it really necessary to change the password every 30 days with such complex passwords?

 

[tony bag o donuts]

hey my buddy has a storm2 and the BES security slows it down to a crawl.
I am the one that emailed the podcast a few times because of my brother's company IT dept refuses to support android....until the CFO stepped in.

 

[88 FLUX]

I fully support the use of complex passwords and password expiration for various reasons. But I may also be biased due to the fact that I'm an IT administrator.

 

[franked]

I fully support the use of complex passwords and password expiration for various reasons. But I may also be biased due to the fact that I'm an IT administrator.

x2.

 

[jwhipple]

I fully support the use of complex passwords and password expiration for various reasons. But I may also be biased due to the fact that I'm an IT administrator.

So you would rather have these ultra-strong password requirements and make it that much easier to figure out a password because someone WROTE THEM DOWN? You might as well do away with the password requirement then.

 

[jwhipple]

the shorter the password, the easier it is to hack. I agree it can be a little crazy, but that's the price you pay for access to information outside of an area you can only access at certain times of the day.

my email password is 13 char long. but that's only because I was hacked once and don't want to make it easy for them a second time

And yet, the stronger the password is, the easier it is to hack - simply because you don't need to hack it - you just look at the paper that the password is written on and type it in.

 

[jdbower]

And yet, the stronger the password is, the easier it is to hack - simply because you don't need to hack it - you just look at the paper that the password is written on and type it in.

A couple of issues with that:

1. If you leave your password on your desk where I work you'll find that pretty quickly it doesn't work anymore because if IT sees it they'll reset your password. Do it often enough and you won't work there anymore.

2. I'm not concerned about people with building access getting into my system, I'm concerned about you people on the interwebs breaking in.

3. If I have physical access to your system, I don't need your password

Try using a secure password manager. Really, it's not that hard to memorize a few strong passwords and then just vary them a bit as you need to cycle them out.

 

[jwhipple]

It only takes 1 occasion of 1 person leaving their password somewhere it can be found for a whole hell of a lot of damage to be done.

 

[jdbower]

And it only takes one guy with a password that can be cracked by a dictionary attack to do a hell of a lot of damage. It's all about whether you'd rather protect yourself from people inside your building and on your security cameras or from people on the Internet and logged in your firewall.

 

[anon(40376)]

I work for the Government so I not only have five or six different passwords to remember. But to enter the building I need a card to flash past an electronic device, then the same card to go past the secured lobby into the remainder of the building. (I could have them buzz me into the lobby, but faster to scan the card.) When I pull mine or the company vehicle into the back past the electronic gate, I need to scan the card again.

If I go to a larger government facility with a metal detector and a rent a cop, I need to scan my card so I can pass through the metal detector since I am sure to set it off, but I also have to flash ID on the way through.

I won't even discuss what happens if I have to fly to somewhere, and if I have to visit Washington DC.

I believe it might be easier just to have my forehead programmed.

 

[88 FLUX]

So you would rather have these ultra-strong password requirements and make it that much easier to figure out a password because someone WROTE THEM DOWN? You might as well do away with the password requirement then.

And yet, the stronger the password is, the easier it is to hack - simply because you don't need to hack it - you just look at the paper that the password is written on and type it in.

There are also company policies in place to prohibit the writing down of passwords in a notebook or other such item. Every password of mine that I store is in an encrypted database and/or my BlackBerry's password keeper which is protected by a single complex password.

And yes, I know that having a signed policy stating "I will not write my passwords in a notebook" isn't going to stop people from doing it. But it does two major things: #1, it passes the blame onto them if something goes wrong instead of me. #2, it puts those employees in violation of company policy which causes them to have to deal with the repercussions (as mean as that sounds).