Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Often-Changed Long Passwords Really Secure?

Posted by Cliff on from the as-long-as-you-don't-write-the-on-stickies dept.

Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?" "I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?

Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"

16 of 233 comments (clear)

  1. Um my password is.. by strikehosting · · Score: 2, Funny

    My password is password. (keep it quiet!)

  2. My voice is my passport.... by MikeyToo · · Score: 5, Funny

    verify me.

    --
    "Well Ranger Brad, I'm a scientist. I don't believe in anything." - Dr. Roger Fleming
  3. Re:This is the reason by Anonymous Coward · · Score: 3, Funny

    Try googling for "bum scanner". Bum scanners are much more accurate than thumb scanners, because of the larger size of the inspected area.

    NEW! Now it comes with extra sneak-peak functions to record female employees, erm, significantly identify-able parts!


    It's a joke, laugh.

  4. Changing passwords by tod_miller · · Score: 3, Funny

    Is silly, if you stop brute force... with intrusion detection systems, if a password does get lost, why give yourself a 45 day (average) allowance? so it is ok for someone to have a password for 45 days, but not longer.

    Also, the root password for my laptop is 'swordfish' (oh halle... I love your baps, but when the line 'it isn't just a multi-monitor system' comes up, I really have to kill nearby carbon based lifeforms.) but noone has hacked it yet for 3 reasons:

    1: It is linux, therefore unhackable, even with r00t password
    2: It has no networking capability
    3: It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...

    So have some auditing and heuristic behaviour analysis. Use one time passwords, rigorously check all intrusions based on internal/external. Follow up a failed pssword attempt with a human call (SOMETIMES computers can be the weak link in security) ;-)

    --
    #hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
  5. Translation by skinfitz · · Score: 4, Funny

    Is there any research to support whether such requirements actually increase security?

    Translation: I can't be bothered changing my password and am too dumb to come up with arguments against this policy to give to my boss on my own.

  6. Make the user responsible by Dammital · · Score: 2, Funny
    Expirations and complex rules for passwords are lame and work at cross-purposes. So here's what you do: allow your employees to assign any password they like, with the understanding that you are going to try to crack 'em. If you are successful, then they're fired.

    Just. Like. That.

  7. "Help me!" by dtfinch · · Score: 3, Funny

    "I forgot my password! It changes too often."

    You've gotta do what everyone else does and write it down. Stick a copy in your wallet, under your keyboard, on the side of your monitor, etc. Now I'll just use my admin login to reset your password and you'll be on your way.

  8. Alternating alphanumerics by RoboRay · · Score: 3, Funny

    I'm actually not allowed to use two consecutive letters in my password to one government system. Every letter must be followed by a number. It also must be 8 characters, no more, no less, and can't contain any punctuation or special symbols. It changes every 90 days. And you can't reuse old passwords, either. Ever.

    So, my first password was A1A1A1A1. Guess what my next one was?

  9. Re:This is the reason by ArsonSmith · · Score: 1, Funny

    because of the larger size of the inspected area.

    Only useful in the US

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.
  10. Company handed me passwords..accidentally by dmorin · · Score: 4, Funny

    The bank I worked for implemented a "change your password every 60 days" rule the same year they handed us one of those motivational desktop calendars that had a word of the month like "teamwork", "integrity", and so on. The password checker would not let you repeat your previous passwords, but it did NOT check for dictionary words! So whenever it nagged me to change words I would just reach up to the desk calendar, flip over to the next month, and type in the word of the month. Certainly solved the "where can I write it down" problem. Anybody walking into my office would just think that I did not keep the calendar up to date.

    --
    www.HearMySoulSpeak.com
  11. Re:You don't have to remember them all by varuul · · Score: 2, Funny

    I use a ROT-26 encrypted text file for that transparent security.

  12. Re:Long passwords by zcat_NZ · · Score: 3, Funny

    Q276304 - Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords

    A Microsoft Windows error message as reported by comp.risks 21.37

    --
    455fe10422ca29c4933f95052b792ab2
  13. Re:This is the reason by Phleg · · Score: 4, Funny

    Excuse me, sir, but I believe you spelled ridiculous correctly. This is Slashdot; the correct use is "rediculous".

    --
    No comment.
  14. Re:Desk by Aurix · · Score: 2, Funny

    "Do you have any suggestions for a passworld vault?" ... hehe, sorry, I have to bite, MS Passport? :P

  15. Re:passwords.... by Winkhorst · · Score: 3, Funny

    I create my passwords using an Epsilon II Password Generator I swiped off of a UFO when they thought I was hypnotized. The only problem is I have to transliterate and transnumerate from the Glog Language Standard to the Latin alphabet and Arabic numerals. As soon as I get this mini-super-computer I also swiped working I can do all that automatically.

    --
    "Is this Winkhorst a nova criminal?" "No just a technical sergeant wanted for interrogation."
  16. Well, that's nice and all... by raehl · · Score: 2, Funny

    are retrieved on presentation of a thumb

    Do you get the thumb back, at least?

    --
    paintball