OT: Desktop Password Rules are Dumb

[Song80s]

https://www.zdnet.com/article/hate-silly-password-rules-so-does-the-guy-who-created-them/

 

Nobody likes them. Especially your IT dep't. Why?

 

Because 50-70% of a co's IT budget is for staff support to fix password issues { IOW, 'ahhShi&^& I can't get into my email blah blah}

 

Imagine, spending 4 years in college preparing for an exciting IT career only to spend several years in the trenches fixing users password confusion.

 

Ok, this is how it "Should " work;

 

-turn on desk top computer

-boots up to screen lock screen. Only 4 characters needed-type them

-all your desktop apps , Internet chat forum accounts, your bank account, your 401k,

email, your Amazon Prime, You Tube, SoundCloud, your Guitar Center shopping account, etc etc all go direct to your Account Data or whatever profile page.

 

Now get to work or mess around on the Internet more efficiently.

 

Note I said nothing about mobile devices, like the precious smart phone or iPad.

Since they are obvious theft targets or left at the local Starbucks , these devices might be worthy of more protection.

 

Anyway, thats the simple home/business computer life as I see it.

 

Why not ?

 

 

[zeronyne]

Anytime you centralize a repository, you are inviting theft targets. Every Fortune 500 and major retail establishment I've done worked for (roughly 75) have had serious incursions that resulted in password theft. These are companies that use world-class security.

 

Single sign on CAN work, but usually, to be really effective, you need a hardware component. My work computer uses a Yubi key (USB dongle). I have a 6 digit PIN that replaces all of the passwords I use on my companies systems (there are 8 different passwords).

 

And in terms of crazy rules, as musicians, we have a fun way to create passwords with restrictive requirements. The trick is to stay consistent. For example, I used to use nonsense sentences, with consistent structure and "replacement characters". One password group:

 

B4ck!nBl4ck

H3llaB3lls

D1rtyD33dsD0n3

So, AC/DC songs, up to the first three words, with vowels (except y) changed to numbers of special characters.

 

Or:

!isEXCLAMATION

,isCOMMA

As long as you are consistent and it meets the password criteria, it should be fairly easy to create memorable passwords that are unique and robust.

 

As a keyboardist, I also like arpeggiating across the computer keyboard, so you have shapes instead of words.

 

I'm sure you get the idea.

 

I use Dashlane to consolidate my personal passwords, and they are fairly confident that they cannot be hacked, but do you really believe that?

 

But back to the point, I have nothing but sympathy for IT departments, but I know very few industries that are still deploying desktops PC en masse, and I presently work for an ultra secure and ultra conservative company.

[Stokely]

There's a lot of things that could and should work better about the interwebs, but ads/thieves make it so it's a PITA.

 

Our company is just getting around to realizing that longer "pass phrases" that people have a chance at remembering are better than goofy unreadable ones with special characters in them.

[Song80s]

Anytime you centralize a repository, you are inviting theft targets. Every Fortune 500 and major retail establishment I've done worked for (roughly 75) have had serious incursions that resulted in password theft. These are companies that use world-class security.

 

Single sign on CAN work, but usually, to be really effective, you need a hardware component. My work computer uses a Yubi key (USB dongle). Iy.

 

I was listening to a debate that asserted ' passwords don't work '. I won't repeat the reasons, folks in IT , who see a bigger picture, made the statements. It was convincing to my ears.

 

I was also thinking about a slide in hardware solution. I like the Yubi key.

[J. Dan]

Our work computers including apps and network access have all gone to windows authentication. In other words, once you log into windows, opening any Office 365 app gets it's authentication automatically from Windows, as do things like Webex, Intranet sites, etc. If I'm accessing any of that stuff from my mobile device, login credentials are the same as they are for windows on my laptop. However this is all work related stuff - doesn't help for my Keyboard Forum password, or Google Calendar, or Amazon, or anything else.

 

They do require us to change our passwords every 3 months or we get locked out of everything.

[harmonizer]

One thing that complicates things is that each different application, web site, or other system each has its own way of making a user log in, of keeping track of who the valid users are, and of keeping track of which subsets of those users might be allowed to perform certain "higher privilege" actions which are disallowed for others.

 

In the general case, these applications or web sites cannot rely on some other app or web site to do this job for them. In addition, the method by which permissions to access more sensitive functions within an application is not standardized. While a security techie might say "hey you can use OAuth to standardize this", I will promise you that the bulletin board software used by Keyboard Corner is not going to be rewritten to use OAuth.

 

Every once in a while, a new piece of security technology actually makes people's everyday lives easier and more secure at the same time. The fingerprint authentication available on iPhones and Android devices is one such case - in my opinion, this is a more usable and secure method than making an end user type in a pin or password every time their phone auto-locks. Of course, this approach would not be viable except for the fact that a large percent of our population has been convinced to carry an expensive and short-lived technical device everywhere we go. So it's not a free solution.

[Jazzmammal]

Total PIA for sure. The problem is multifaceted. Take any one of the many huge companies most of us use. We and they can have the best security ever invented but if an insider gets upset, bribed or whatever into downloading onto a thumbdrive millions upon millions of users info, whattagonnado? Or, as what happened with a recent presidential candidate, a high level insider decided to use "password" has his password, or another high level person decides to download all kinds of confidential data on a thumb drive and just walk out with it, then all your best security is out the window. Think Wiwileaks, think Home Depot, Experian, Sony and who knows how many others. And that's just private sector, look at high level government security like the GSA hack a few years ago. It's a joke. A lot of these hacks are not reported for many months or years after the fact. If ever.

 

It doesn't matter what we do as individuals, if a company we do business with or are associated with or was an emploloyee of or whatever gets hacked, there goes all of our personal info into the Dark Web.

 

The only prudent thing to do is to assume for a fact that your personal info and by that I mean ALL OF IT is out there. Banks will guarantee your credit cards and bank balances against theft as long as you report it to them within 30 days which means you can't be brain dead and not check your accounts like weekly at least.

 

The next thing is taxes. I'm a tax pro and I've been telling clients for years, come to me asap, early in tax season as soon as you get your tax docs because it's becoming first come first served with the IRS. By that I mean tax fraud based on identify theft. A thief has gotten your SSN, employer info, birthday, address all that good stuff and the minute efiling starts, files a false return in your name. He creates a typical refund like 3-5K and has it sent to a new address or debit card. You file your real return a month later and it gets rejected by efile. The reject code says the return has already been filed. Now, this ultimately doesn't cost you anything but it takes several months to sort out. Whatever refund the IRS sent out is their problem not yours but if you really need that refund, it can cause you problems having to wait. Now, why would you be counting on a government tax refund is another issue but millions do.

 

There's so much going on under the surface that the average person knows squat about. I've been to seminars about this stuff and it's very sobering I'll tell you.

 

Just one last point out of many I could write about. If you're online using Windows you need to be on Win10 with all current updates. Not Win7, or 8 and certainly not XP. It's not just the OS it's also the hardware. New CPU's and mobo's all have integrated security features designed to get the most security in concert with the OS. Running Win 10 on 8 year old hardware won't cut it from a security POV. I'm not going to go into all the reasons and I definitely do not want to hear there's no problem with Win 7 or whatever. BS there isn't.

 

Bob

 

 

[MotiDave]

I have to have 6 or 8 passwords for different enterprise apps. I try to set them all the same, but eventually they require updates at different times and diverge. To save my IT dept from ahhh 1@#$$ I forgot my butt, I save files that tell me what i last set it to. A hacker simply has to find that file and the world unlocks.

 

He can change my profile picture in workday, theoretically he could file a termination for one of my employees, he can read customer complaint reports, nonconformance reports, he can look up a SN device production record, and so much more.

 

he can even order me some new IT gear so I can start it all anew. Lol

 

For all social apps, such as this, i use a simple pw. I dont care if someone reads my stuff, i assume its all being read by the dark underlords anyway. I dont post what i would be ashamed to publish. (As you have seen, im Not easily shamed ). I apply extra digits, symbols and tricks to the very few PWs I really care about - such as banking. I never use that same PW anywhere else.

[Mighty Motif Max]

Why are we discussing stuff that can help people hack us if they find out who we are when we can't discuss gig money due to being afraid of people knowing who we are?

 

 

All kidding aside, I prefer to have different stuff for a bunch of different sites and accounts. Hand-written and/or in an encrypted document. Not foolproof but I don't trust the big tech giants with my stuff since they've had major hacks in the past. No way.

 

 

Ya know, we could always just write everything in reverse, and store it in a big safe accessible through a trap door...

[J. Dan]

According to CNN Business:

 

The top 10 most common passwords were:

 

1.123456

2.123456789

3.qwerty

4.password

5.111111

6.12345678

7.abc123

8.1234567

9.password1

10.12345

 

 

I don't see how most of these are even possible anymore. Your password isn't very strong when you have to write it on a post-it note and stick it to your computer to remember it. I have text files saved of my various passwords, so if somebody got into my laptop they'd have all my passwords.

 

Side Note....I was setting up an old band web site years ago with the hosting service "JustHost". After much runaround and ridiculous password restrictions, I took great pleasure talking to their tech support and telling them my password, which was F*ckJustHost1234!

 

Note: the * is for forum purposes as the ! fulfilled the extra character. Had to have more than 8 characters, upper AND lowercase letters, numbers, and special characters. I've never forgotten that password.

[Markay]

There's a lot of things that could and should work better about the interwebs, but ads/thieves make it so it's a PITA.

 

Our company is just getting around to realizing that longer "pass phrases" that people have a chance at remembering are better than goofy unreadable ones with special characters in them.

 

In my work place we recently rebuilt our infrastructure adding many layers of authentication including the requirement for unique certificates on connecting machines following a brute force attack. Our research on passwords came to the same conclusion as your workplace.

 

Relevant to this forum my password is now a sentence similar to "Hammond anything else is a clone" (with due acknowledgement to Ed) . Pop that into one of the online reputable password checkers and see how long that would take to crack.

[Song80s]

Why are we discussing stuff that can help people hack us if they find out who we are when we can't discuss gig money due to being afraid of people knowing who we are?

 

 

..

 

I like the funny comparison . I will take it to the absurd.

 

I made $100,000 in gig money. See ? Easy to BS with fiction.

 

My IRS return gets hacked. The hacker gets total fact. Not total fiction.

 

There is a difference

[Song80s]

According to CNN Business:

 

The top 10 most common passwords were:

 

1.123456

2.123456789

3.qwerty

4.password

5.111111

6.12345678

7.abc123

8.1234567

9.password1

10.12345

 

 

.

 

If we have some time to nerd out, it would be fun to imagine passwords of the rich and famous;

 

Kim Kardashian

Bill Gates

Jeff Bezos

Mick Jagger

Lady Gaga

Paris Hilton

 

and so on...

[Marzzz]

1Password

 

I have to remember numerous, necessarily complicated passwords. This app had helped immeasurably.

[stillearning]

I use a stand-alone device called a digital password vault. Doesnt do anything special, just replaces scraps of paper. But if anyone finds it, and figures out its password, they would have access to all my passwords. So I keep it hidden behind the fifth brick from the left in my fireplace in the den.

 

While were on the subject, what are your opinions on having an iPad store passwords, and having them entered using thumbprints or facial recognition? Ive shied away from it so far.

[Song80s]

I use a stand-alone device called a digital password vault. Doesnt do anything special, just replaces scraps of paper. But if anyone finds it, and figures out its password, they would have access to all my passwords. So I keep it hidden behind the fifth brick from the left in my fireplace in the den.

 

.

 

yes, I have a 5 page word doc with all my P/w's.

 

I keep the printout on the front dash of my car.

This is because I never know when Amazon will institute its fabulously annoying 4 layer

password security gauntlet. And its always different per device.

 

Of course, if I open my car window , there is a chance my 5 page doc will blow out the window on the freeway. I am fairly certain nobody cares about my secret place.

[Joe Muscara]

1Password

 

I have to remember numerous, necessarily complicated passwords. This app had helped immeasurably.

I don't know most of my passwords at this point. I have a few basics I know, but the rest, every time a new site needs a new one, gets some suggested password from 1Password or iCloud Keychain. I've even begun slowly replacing the stupid and simple passwords I've used for places where I "didn't care" if they got hacked with better ones. Why? Just to be sure.

 

But if 1Password goes away, I might be f*cked. I do have most passwords in both 1Password and iCloud Keychain, so I might muddle through.

[Synthaholic]

I didnt see it mentioned, but www.lastpass.com is excellent. I just need to remember one master password and it will generate and remember extremely complex passwords, and even change them periodically for you.

[Mark Zeger]

Im frustrated by remembering all the different password protocols. Theres never a prompt near a password field.

 

6 characters

6 characters, one must be a number

8 characters

8 characters, upper & lower case

8 characters, upper & lower case, one must be a number

8 characters, upper & lower case, one must be a number, one must be a special character

8 characters, upper & lower case, one must be a number, one must be a special character, cant be the same as any of your last 20 passwords

Etc

 

 

[Jazzmammal]

The IRS requires a phone text code for me to log in to E Services and that type of system is an option with many entities. First you log in with your standard username/password then they send the text with a code, you put in the code then you're in.

 

You guys should see the user agreement I had to sign since I deal with clients confidential financial stuff. I've read that this level of security has driven many older tax preparers who are not that savvy out of the business.

 

It's funny and sad how many people don't have a clue, they're mostly older but not all. I have a client in his 50's who can't figure out how to create an account and log in to the encrypted portal I use called Secure File Pro. All he has to do is scan everything and upload it to me but no, he can't even figure out how to use a scanner. I have to use regular mail to send and receive tax docs with him. Others know more about this stuff than I do and like the fact I use that portal.

 

I don't know where all this is going, it will probably get worse before it gets better. Maybe biometrics will be the best, who knows.

 

Bob

 

 

[J_tour]

Im frustrated by remembering all the different password protocols. Theres never a prompt near a password field.

 

6 characters

6 characters, one must be a number

8 characters

8 characters, upper & lower case

8 characters, upper & lower case, one must be a number

8 characters, upper & lower case, one must be a number, one must be a special character

8 characters, upper & lower case, one must be a number, one must be a special character, cant be the same as any of your last 20 passwords

Etc

 

 

Word.

 

It's been like that for a while, and it drives me out of my fucking mind.

 

Yeah, I know Keepass and all that, but I just write down every damned login credentials on a piece of paper which has magically grown to who-knows-how-many pieces of paper stapled together and thumbtack it to my wall at home.

 

If my wall disappears, then I've got bigger problems to deal with.

 

But that's one single user if I were made to keep track of hundreds of users and their fidelity, it would come down to relying on browser and web designers' communicating with one's chosen password service.

 

"Going forward" I think two-factor schemes are a good compromise, and I'm pretty happy that most designers are on board.

 

If you forget the password or login to such-and-such a forum, it's nice, as a consumer, to be able to have the option to have a reminder sent to a secondary device.

 

And not vice versa.

 

I don't know how much the "always-on" will strain such a system, but it seems pretty much good enough for now.

[TommyRude]

Multi-factor authentication. Know it, learn it, use it. It's not the end of the game, but it adds a measure of safety.

[harmonizer]

Biometrics are good as an additional factor for authentication, but not as the only method of authentication. Even the iPhone forces you to enter the your pin (which is really a numeric password) the first time after you power on your iPhone (which is a good thing). Any single factor of authentication will get attacked and then compromised. The thing that makes multi-factor authentication good is that (in most cases) it makes it economically impractical for an attacker to break into your account.

[MoodyBluesKeys]

I use an application named Ascendo DataVault for storing credentials for sites (and a lot of other things, like bank account/routing, credit card info, serial numbers of things, etc)

 

The program is moderately priced, the password file is mil-grade encrypted, and it deletes everything in it if there are ten attempted logins with it's own password.

It is available for Windows, MacOS, IOS devices, (and I think for Android). Backups can be made of the database. I have also printed (once) the entire database and have that paperwork stored in the safe.

 

[zeronyne]

If you want to know how bad it can get with an insider, read about the utter nightmare that Chester Bennington of Linkin Park (R.I.P.) went through. For a guy who suffered from depression, I imagine this took a big chunk out of his life. This woman should be tortured.

 

WIRED ARTICLE

[Iconoclast]

I find this surprising but the big brains who figure this stuff out consider your fingerprint to be not very secure.

 

There was actually a mythbusters on this, and while it took them a while to do, they were able to crack a fingerprint reader. https://www.youtube.com/watch?v=3Hji3kp_i9k

 

Evidently your face is a more secure biometric measurement than your fingerprint. Wow.

 

And weirdly they consider a four digit pin even more secure than that.