Ask Slashdot: Convincing My Company To Stop Using Passwords?

gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?

Do you want to take the fall for the inevitable?

Your system will be breached. Do you get enough out of this to take the fall when that happens?

It could be worse

[rgbscan]

Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.

Re:It could be worse

Just don't answer your voice mail.

Re:Consider Your User Base

[CaptainDork]

The way I did it was similar.

In casual conversations with managers about "cool geek" stuff, I shared stories about breaches and the consequences. Those were particularly scary because we're a law firm.

I sent breach stories to them via email saying, "These are things you should do for your HOME."

I spoon fed that stuff to the decision makers and then when I was ready to roll out best practice and mid-lower management and my coworkers bitched, upper management was all like, "Are you kidding? Do you guys ever actually read about password security or network breaches? This stuff he's recommending is a no-brainer!"

Done.

I have had some who balked and I just told them to comply or send upper management an email arguing their business case for using "12345678" as a password.

Re:Every 30 days.

[__aaclcg7560]

When setting up a new computer for you they'll ask for your username/password so they can log in and setup your profile, so they are well aware that people do that.

Asking a user for their password is against corporate policy at all the Fortune 500 companies that I worked for in Silicon Valley. The correct procedure is to inform the user that their password will get reset to a temporary password (i.e., Password123), and, after setting up their new system, check on the box on the AD account for the user to change their password when logging in. Under no circumstances should an I.T. technician know a user's passwords. That's ground for immediate termination.

Re:Every 30 days.

[hey!]

You laugh, but I once advised a friend to write (most of) her passwords down on a slip of paper and carry it in her wallet.

Any policy has to take into account the circumstances and concerns of the user into account. In this case she was an author who was being cyberstalked buy someone who'd figured out her easy-to-guess password. She changed the password to her site and he promptly guessed that one too.

So my advice was this: generate a moderately tough password, say a ten digit random number, and write it down twice: once for her files, once to carry around in her wallet. Then add to that an easy-to-remember part, say the name of her best friend's cat, but don't write that part down, keep that in her head. This results in a password that looks like this: "491-265-4743Fluffy". I chose ten digits and formatted it that way because if it looks like a phone number pretty soon she won't have to carry the paper around. I reckon that this adds something like 32 bits of entropy to her weak but easy to remember password. Even if you know how the password is generated, it's not trivial to guess or break by brute force, and it's certainly not practical to guess for someone who doesn't have physical access to her wallet.

Is it secure enough for the Morgan Stanley family jewels or the nuclear launch codes of the United States? No. But it's good enough for most practical purposes where you're not that concerned about an adversary who has physical access to you.