Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Complexity in the Enterprise?

Posted by ryuzaki0 on from the have-you-tried-remembering-line-noise-before dept.

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

11 of 216 comments (clear)

  1. Suggested to me: by wild_berry · · Score: 4, Interesting

    One of the best I'd seen was to take first letters (or last, or second, etc.) from words in a song that you know the lyrics well. They have a decent amount of randomness and each album you buy will supply a couple of years' worth of passwords.

    Writing them down in a safe location is a helpful aide-memoir. You could just have a lyrics file saved to a thumb drive or scrawled in a diary.

  2. Well, this is a classic dilemma by biglig2 · · Score: 4, Interesting

    Make the passwords to hard to remember and people write them down because thay have to.

    Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

    Myself, I use muscle memory to store mine. I make up an entierley random password and spend 20 minutes typing it over and over again until my hands remember how to make that sequence of twitches. Works great; and no risk of me acidentally telling someone my password because I don't know what it is.

    --
    ~~~~~ BigLig2? You mean there's another one of me?
    1. Re:Well, this is a classic dilemma by WuphonsReach · · Score: 3, Interesting

      I divide my passwords up by classification:

      1) The ones I deal with on a daily basis. These number in the range of about 1 dozen, but are still easily rememberable. Length varies from 12-30 characters, includes digits, mixed-case and is comprised of multiple words. Memorable, typeable, and fairly secure. Some of the longer ones are 40-80 characters in length, but they are ones that I only use when booting up the laptop every few weeks. I use them all frequently enough that they're memorable (although I still back them up in a GPG-protected file).

      2) The ones that I let the web browser remember. Such as forum passwords. Since I use a laptop that I keep secure, I'm not terribly worried about letting the web browser remember these. Those passwords are generated by a random algorithm and are usually 20-40 characters in length with random caps and symbols inserted into the middle / ends / beginning. I keep track of these by placing them in a text file prior to encrypting to contents of the text file with my GPG key. If I ever need to look them up, I open the text file, copy the contents to the clipboard and decrypt it.

      3) Other seldom used passwords. These are almost all randomly generated (30+ characters with random sybols, digits and caps). Again, I simply store them in plain text files where the contents of the file is a GPG encryption block. To get at the password, I copy the contents into the clipboard, decrypt and there I have it.

      The plain text file with GPG encrypted contents works well for many reasons. It's backup-friendly (I could even put the contents into source code control), I can e-mail the blocks to myself on other machines without worries or I can make backups of all of my passwords by mailing them to a webmail account. I can setup the contents of the file to be readable by my co-workers for cases where multiple of us need access to the password.

      --
      Wolde you bothe eate your cake, and have your cake?
  3. Picture, picture on the wall. by Anonymous Coward · · Score: 2, Interesting

    Picture Password: A visual login technique for mobile devices

  4. Re:That's not too strange by renelicious · · Score: 4, Interesting

    Actaully I think the "first letter of the phrase" idea is too complex, why not just use a phrase. Most sane passwords allow up to 128 characters. You can easily type a whole sentence, which is much easier to remember. Use something like:

    Jane's birthday is on October 12th. (with puncuation)

    or

    Do or do not, there is no try.

    --
    "Luke, I am your node.parent();"
  5. Re:unlikely by 19thNervousBreakdown · · Score: 4, Interesting

    In my job, I talk to network administrators very frequently while supporting our software. Generally the problem is, our product's default password doesn't meet their complexity requirements. The solution is simple, I ask them what their requirements are and make one up that meets them.

    Those requirements are absolutely not unlikely. I run into requirements at least as idiotic about once a month. Some of the stuff I've heard, I didn't even think it was possible to create a password that met them, and they had to be changed once a month. I've also run into stuff that probably reduces the keyspace (requiring 2 numbers, 2 special characters, 2 upper, 2 lower tells you a lot about every password when minimum length is 8). That one also had to be changed monthly.

    These requirements are for ... well, I'm not going to even say what type of company that last particular one was in order to protect my job, but trust me, you'd be very surprised, and probably upset. The fact is, the type of critical thinker that can actually come up with a good password policy is somehow a rare person, even in IT. Since the people doing the hiring generally have no idea how to interview, you'll find that person with almost perfect random distribution at small and large companies, government offices, schools, banks, consultants, mom-n-pop stores, you name it. It's a sad, sad situation.

    --
    <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
  6. What I like by Reality+Master+101 · · Score: 2, Interesting

    Unless there's some flaw that I don't know about, I've always liked the password method where it's two random English words (DoorAsphalt or MessHeave). It's easy to remember, and assuming, say, a 40,000 word dictionary, that gives 1.6 billion combinations.

    --
    Sometimes it's best to just let stupid people be stupid.
  7. My policy by RemovableBait · · Score: 3, Interesting

    I've always found it a total pain to remember passwords for different resources, so I came up (probably stole the idea from someone, too long ago) with a method of using the keyboard as a sort of encoder/decoder. What I do is I have a memorable word or phrase, but I always type in the letters above or below the actual characters. This means I can turn a memorable phrase, say, "slashdot.org", into gibberish, like "woqwye95l94t". (No, that isn't my Slashdot login, so don't even think about it :).)

    I've found that, while you need to think about it at the start, it doesn't take too long before you're used to using it. Of course you can (as I have) obfuscate it even more. For example, you could change the case (upper/lower) on alternate letters, type your memorable word/phrase in backwards, alternate above and below keys, etc.

    Just an idea, real good for the corporate logins... you can easily remember a word or name, and quickly turn it into something the IT Dept. would approve of.

  8. Hashapass! by the_mice · · Score: 2, Interesting

    I've started using what I think is a great was to create what appear to be rather secure passwords that are easy to remember and recoverable (that's a highly qualified statement as I am in no way a security expert). Go to:

    http://www.hashapass.com/

    and enter your "parameter" (e.g. "march2006") and "master password" (e.g. "mysecretpassword") and you get a password (e.g. "K0u4CUXG") generated from the two. Of course you still have to remember the password, but at least if you forget it you can recover it from wherever you are, without having to write it down. It's all local JavaScript on the browser, so there's no network exposure...

    t.

  9. Re:So what's to keep you... by Kadin2048 · · Score: 3, Interesting

    I know people who do something similar to this, by typing geometric patterns on the keyboard. (They weren't using it actually to control access to anything, just as passwords to test accounts and the like.)

    You start off with "1qaz2wsx3edc" and then when it expires, you change it to "qaz2wsx3edc4", etc. Depending on how intelligent the password system is -- in this particular case, not very -- you could get away with it. I think more secure systems probably pick up on the lack of difference between the two and would prohibit it.

    It's easy to create very complex, seemingly-random passwords that include numerics and punctuation this way, but it's very prone to shoulder-surfing. If anyone sees you enter it even once, they'll know what you're doing.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  10. Re:So lets ask a simple question... by m-wielgo · · Score: 2, Interesting

    Most atm machines I've used actually take your card (for shredding) if you have 5 invalid attempts. I had it happen to me when I typed in the wrong PIN (confused with another card) and the machine didn't give it back to me..