Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Complexity in the Enterprise?

Posted by ryuzaki0 on from the have-you-tried-remembering-line-noise-before dept.

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

5 of 216 comments (clear)

  1. That's not too strange by Anonymous Coward · · Score: 4, Insightful

    Those requirements don't sound too tough, though 16 charaters is a little long.

    As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

    Example:
    Slashdot is full of bad grammer,misspellings and inaccuracy

    =

    s1F0bgMaI

    The phrase is easy to remember; the number and uppercase substitutions come with repetition.

  2. So what's to keep you... by Flimzy · · Score: 4, Insightful
    ...from simply rotating the password?

    Jan: 0123456789abcDE_
    Feb: 123456789abcDE_0
    Mar: 23456789abcDE_01

    You get the idea

    No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.

  3. Re:Never assume your company won't be targeted. by vldragon · · Score: 3, Insightful

    In all reality the long password idea is great. However once you have a 16 digit password it no longer really matters if you mix it with numbers and special charaters. This is from an article on password myths: "Now consider this password: SeandialVickyandhorusbloomkendallWyoming. It is not complex by any measure. It contains only two character types and all of the components are words. They are, in fact, words picked from the Microsoft password strength checker's dictionary, which includes 2,254 words. There are 40 characters in this password. The character set those characters are chosen from consist of uppercase and lowercase English characters, or 52 characters in total. That means there are a total of 4.45×1068 1 to 40-character passwords possible from that character set. If you use a brute force attack and you can guess 600 passwords per second, it will take you 1.63×1058 years to guess this password. But you may have captured a connection to a server and have the challenge-response sequence to crack it. In this case it will take you only 1.30×1054 years, assuming you are a nation-state and have access to nearly unlimited computing power." Also having to change the password every month is a terrible idea as others have described and is completley uneeded. With proper audit tools administrators should be able to tell if a user is logging in at odd times or in odd ways. If this is seen then someone most likely has this persons account information; however if this is not the case then making this person change their password every month only makes him change a secure password.

    --
    Eating the brains of your enemies does not make you smarter. But it's still fun.
  4. Write it down by Wanker · · Score: 3, Insightful
    Write it down somewhere. How secure is that?

    This is surprisingly secure, as long as you write it somewhere safe. Security pioneer Dorothy Denning does this, as do a number of other "security professionals". There are simply too many places a password is needed now to follow good security rules for all of them. The human-factor limitations lead to the obvious conclusions that people must either:
    • write down a password
    • store the password online
    • use the same password lots of different places
    • choose a really simple password

    Writing down a password is safe if nobody can get hold of what it's written on. Storing it online is pretty much just like writing it down, except there are opportunities to make it safer. There's really no safe way to use the same password lots of different places or a really simple password.

    Use a password generator to create some truly horrific 20-character monster and write it down. Keep that paper safe!
  5. Re:Well, this is a classic dilemma by JaredOfEuropa · · Score: 3, Insightful
    Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.
    Paper left in a wallet tends to become crumbly and perhaps ultimately unreadable. That's why people tend to keep such bits of paper in their desk drawer rather than their wallet. Or (especially if they have to remember multiple passwords) in a Word document protected by a silly password. Of course, passwords for "functional" accounts that are shared between users are recorded in a different favorite place: the office whiteboard.

    To improve security and make the users happy at the same time, this is what we are currently doing:

    1) Enforce "good" passwords but do not let them expire (do lock it out upon 3 incorrect passwords). Instead, notifying the user of his last login time and last workstation used.

    2) Look for Single Sign-on solutions. Some applications can leave user authentication up to the OS: being logged in to Windows NT (for instance) is good enough for the application to trust that you are you. If you are writing an application that requires controlled access, consider implementing SSO.

    3) If you cannot get around the fact that users will have to deal with multiple password, consider a Password Vaulting solution. Basically this is nothing more than a bit of client-side code that remembers passwords as they are entered once, and then enters them automatically the next time you come across the same login window. Sounds crummy, but there are a few secure enterprise-level password vault applications that store passwords centrally and encrypted.

    4) Use sudo or kerberos or similar for functional accounts.
    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...