We actually had a coworker who would come in in the morning, pick up his "reset" password at the IT desk, log in, go to lunch, pick up his "reset" password coming back... every day.
I still use that as an example of why such password policies are stupid. He pretty much understood and "hacked" the system. He found a way around remembering a password dictated by an inane password policy without writing it down.
Before you answer "by sending a login attempt every other second", it's trivial to notice something like that and simply lock you out on the firewall. That only works as long as admins let you send packets.
Not to mention that it's trivial to see login attempts from the same source over and over again (and no, IP spoofing only goes so far when challenge-response systems are in place), so you can even go ahead and limit it to one user/pass set per IP per, say, minute. In other words, one machine can lock out one account for as long as this machine keeps hammering. Let's say the potential damage of this is fairly limited.
CAPTCHAs are a waste of work time. They're cute in a leisure environment where you don't have to care about the time wasted solving them, but they are a no-go in any professional environment.
Seriously, if it takes you a minute to log in every single fucking time you get no work done.
And now ponder needing this password once a week. Still memorable?
Also let's not forget that we are dealing with people here who have anything but security on their mind. They want to get their work done. Security is for them, at best, a nuisance. At worst something that stands between them and doing their work.
Take a security door that swings closed after someone went through. Now imagine someone who has to carry heavy boxes through this door. This would mean that he carries the box to the door, opens the door, carries the box through and closes the door again. And that repeatedly. How long do you think it would take until he finds a wedge to keep the door open? And without any remorse because that way he can do his work more efficiently.
Security MUST NOT weigh down the worker. If it does, the worker will treat it as a defect and find a way to work around it.
Yes, yes, this will be the most... well, considering it's Microsoft that's announcing here, let's see IF, and if, WHEN the console arrives, and whether it still IS the most powerful console when it finally gets here.
It's trivial to announce something. Want me to announce a PS5 that will blow the snot off that XBox? Easily done. Delivery? Umm... Really Soon Now (tm).
The bullshit is not in the passwords, the bullshit is in the people. Or rather, demanding that people remember that character salad.
Yes, those passwords are great. Especially "&2lkjf(82ld0*@#jmG73". Awesome, strong and secure. And now have a person remember this. No chance. None. Zero. Zip. Maybe there's some dedicated aspies that can, but most of the people you have in your office will look at you like you asked them to do a multidimensional integral in their head. Or they'll question your sanity.
What will people do when you require such passwords from them? They will write them down. Turning a "what you know" access situation into a "what you have" one. That by itself is no problem yet. The problem is that you don't know where they'll keep that post-it. If you're lucky, they take it with them in their wallet. If you're not, they stick it under their keyboard or put it into their drawer.
And that is where demanding such a password actually reduces security.
That depends on the situation. In most circumstances, you're right. If you have no control over the servers (read: If you're dependent on a supplier) you might want to implement a changing policy, especially if you can't rely on them reporting a data breach reliably and in a timely manner.
That last problem can easily be thwarted. Take your average user and let him enter his username and password. How long does it take him? 2 seconds if he's fast. 5 seconds if his name is long and he's a slow typist. So simply implement it in such a way that between two tries you have, from the start, a 2 second delay. That means at best 30 attempts a minute, 180 attempts an hour, 43.200 attempts a day.
Even if you know that the password is four letters long and only lowercase, you'd need about a week to brute force that.
It is near impossible to create a sensible password strategy that satisfies the three core demands: Easy to remember, hard to guess, hard to brute force.
Go ahead and define one. And then sell it, good money will certainly be paid for something like this.
Even aside of the obligatory xkcd comic that will certainly still surface, password rules are at best useless. At worst they lead to behaviour that is detrimental to security.
So how long do they now have to be? 12 characters at least, no words from a dictionary, containing all sorts of numbers, special characters, upper/lower case, no semblance to any passwords used within the last 60 years... resulting in such great passwords as f$nUkw1dfvM(qkI and so on.
How to remember that? Not at all. What do people do? They write it down. If you're a lucky CISO, they put the post-it into their wallet. If you're not, you find it under their keyboard.
Sure, you can demand that they don't write it down. Then be prepared to drown your support in calls from users that have to get their passwords reset twice a day. Once when they come in, once when they return from their lunch break.
And all that because we are lazy. Yes, we. The company security. We brush off our business, i.e. securing access, onto the user. And why the fuck do we get away with that? Please tell me. It's OUR job to make machines secure, not the user's.
Security is best when you achieve total security without the user even noticing you're there. Perfect security means that little, better even no, user interaction is required. The less the user could possibly fuck up, the better for your security. And yes, that is possible. Replace a "what you know" security model with a "what you have" one, i.e. hand key cards to your personnel. If you really feel like it, augment it with a 4 digit pin they can set. That's already enough.
But brushing off security onto your user and putting insane demands on him is unacceptable.
That hasn't been true for at least 1, more likely 2, generations of consoles now. With MS trying to achieve compatibility between XB and PC, and with more and more games being produced that have to run on very different platforms, from XB to PS to PC and sometimes even... whatever Nintendo has in the race now, that advantage has vanished.
The only thing that's left for now is that PC players usually try for higher resolutions and hence need more hardware power, and with 4k TVs that's going to be a thing of the past as well. So what will be left is that game makers have to optimize for consoles to make it halfway playable on the ancient hardware, while being able to cut corners with the PC version where they can simply tell their customers that they need a better rig to play their latest and greatest.
I know how my government would react after losing that lawsuit.
"Obviously we didn't do enough to protect your interests, so we have to step up our efforts. To fund this, there will be a new tax on content. And of course the money you now get for CD sales will go into that funds, too. In return we will protect you. Promised. And don't be surprised if that new tax is somehow on par with whatever we paid you.
Only that you'll pay that tax annually."
Don't fuck with governments, they have a way to get back at you.
I was prepared for WW3 to be fought over oil, over water, over arable land... but never over people wanting to watch their show without having to put up with ads.
Doesn't work. All that does is make them say "See? They're not buying our crap, so they OBVIOUSLY must be copying it!"
I've been boycotting the fuckers for ages now. I bet by now I'm a dirty pirate in their eyes even though most of the shit they produce ain't even worth the bandwidth it would take to download it.
And as soon as they actually sold the "pirated" material in the country, I could actually see that argument.
But the main reason for the widespread "piracy", aside of the obvious "The Netherlands is an old seafaring nation so of course they have a pirate heritage to defend" joke, is that you, dear media industry, fail to offer what people want. Believe me, we want to buy your stuff. You're not selling. Why are we supposed to wait half a year or even longer before we're allowed to see what you have broadcast in the US or UK? And a friend of mine who is into Anime could easily triple the length of this post with the hoops he's supposed to jump through to get half of his favorite shows at all, or at least within less than a decade after they have been out in Japan.
Sell me what I want or step aside to let those that do step in!
We actually had a coworker who would come in in the morning, pick up his "reset" password at the IT desk, log in, go to lunch, pick up his "reset" password coming back... every day.
I still use that as an example of why such password policies are stupid. He pretty much understood and "hacked" the system. He found a way around remembering a password dictated by an inane password policy without writing it down.
Before you answer "by sending a login attempt every other second", it's trivial to notice something like that and simply lock you out on the firewall. That only works as long as admins let you send packets.
Not to mention that it's trivial to see login attempts from the same source over and over again (and no, IP spoofing only goes so far when challenge-response systems are in place), so you can even go ahead and limit it to one user/pass set per IP per, say, minute. In other words, one machine can lock out one account for as long as this machine keeps hammering. Let's say the potential damage of this is fairly limited.
You can make one attempt every 2 seconds. Infinitely. Please show me how to lock out that account.
CAPTCHAs are a waste of work time. They're cute in a leisure environment where you don't have to care about the time wasted solving them, but they are a no-go in any professional environment.
Seriously, if it takes you a minute to log in every single fucking time you get no work done.
And now ponder needing this password once a week. Still memorable?
Also let's not forget that we are dealing with people here who have anything but security on their mind. They want to get their work done. Security is for them, at best, a nuisance. At worst something that stands between them and doing their work.
Take a security door that swings closed after someone went through. Now imagine someone who has to carry heavy boxes through this door. This would mean that he carries the box to the door, opens the door, carries the box through and closes the door again. And that repeatedly. How long do you think it would take until he finds a wedge to keep the door open? And without any remorse because that way he can do his work more efficiently.
Security MUST NOT weigh down the worker. If it does, the worker will treat it as a defect and find a way to work around it.
Yes, yes, this will be the most ... well, considering it's Microsoft that's announcing here, let's see IF, and if, WHEN the console arrives, and whether it still IS the most powerful console when it finally gets here.
It's trivial to announce something. Want me to announce a PS5 that will blow the snot off that XBox? Easily done. Delivery? Umm... Really Soon Now (tm).
ITSM checkbox auditors. "Having a password policy" is a checkbox they can tick off, "having a password rotation policy" is another one.
Nobody asks if that makes sense. What matters is that you implement it. And these are quick wins, because it's trivial to implement.
The bullshit is not in the passwords, the bullshit is in the people. Or rather, demanding that people remember that character salad.
Yes, those passwords are great. Especially "&2lkjf(82ld0*@#jmG73". Awesome, strong and secure. And now have a person remember this. No chance. None. Zero. Zip. Maybe there's some dedicated aspies that can, but most of the people you have in your office will look at you like you asked them to do a multidimensional integral in their head. Or they'll question your sanity.
What will people do when you require such passwords from them? They will write them down. Turning a "what you know" access situation into a "what you have" one. That by itself is no problem yet. The problem is that you don't know where they'll keep that post-it. If you're lucky, they take it with them in their wallet. If you're not, they stick it under their keyboard or put it into their drawer.
And that is where demanding such a password actually reduces security.
And this is why they're bullshit.
That depends on the situation. In most circumstances, you're right. If you have no control over the servers (read: If you're dependent on a supplier) you might want to implement a changing policy, especially if you can't rely on them reporting a data breach reliably and in a timely manner.
That last problem can easily be thwarted. Take your average user and let him enter his username and password. How long does it take him? 2 seconds if he's fast. 5 seconds if his name is long and he's a slow typist. So simply implement it in such a way that between two tries you have, from the start, a 2 second delay. That means at best 30 attempts a minute, 180 attempts an hour, 43.200 attempts a day.
Even if you know that the password is four letters long and only lowercase, you'd need about a week to brute force that.
It is near impossible to create a sensible password strategy that satisfies the three core demands: Easy to remember, hard to guess, hard to brute force.
Go ahead and define one. And then sell it, good money will certainly be paid for something like this.
Even aside of the obligatory xkcd comic that will certainly still surface, password rules are at best useless. At worst they lead to behaviour that is detrimental to security.
So how long do they now have to be? 12 characters at least, no words from a dictionary, containing all sorts of numbers, special characters, upper/lower case, no semblance to any passwords used within the last 60 years... resulting in such great passwords as f$nUkw1dfvM(qkI and so on.
How to remember that? Not at all. What do people do? They write it down. If you're a lucky CISO, they put the post-it into their wallet. If you're not, you find it under their keyboard.
Sure, you can demand that they don't write it down. Then be prepared to drown your support in calls from users that have to get their passwords reset twice a day. Once when they come in, once when they return from their lunch break.
And all that because we are lazy. Yes, we. The company security. We brush off our business, i.e. securing access, onto the user. And why the fuck do we get away with that? Please tell me. It's OUR job to make machines secure, not the user's.
Security is best when you achieve total security without the user even noticing you're there. Perfect security means that little, better even no, user interaction is required. The less the user could possibly fuck up, the better for your security. And yes, that is possible. Replace a "what you know" security model with a "what you have" one, i.e. hand key cards to your personnel. If you really feel like it, augment it with a 4 digit pin they can set. That's already enough.
But brushing off security onto your user and putting insane demands on him is unacceptable.
Seriously, why does anyone still give a fuck when MS announces something?
That hasn't been true for at least 1, more likely 2, generations of consoles now. With MS trying to achieve compatibility between XB and PC, and with more and more games being produced that have to run on very different platforms, from XB to PS to PC and sometimes even ... whatever Nintendo has in the race now, that advantage has vanished.
The only thing that's left for now is that PC players usually try for higher resolutions and hence need more hardware power, and with 4k TVs that's going to be a thing of the past as well. So what will be left is that game makers have to optimize for consoles to make it halfway playable on the ancient hardware, while being able to cut corners with the PC version where they can simply tell their customers that they need a better rig to play their latest and greatest.
I know how my government would react after losing that lawsuit.
"Obviously we didn't do enough to protect your interests, so we have to step up our efforts. To fund this, there will be a new tax on content. And of course the money you now get for CD sales will go into that funds, too. In return we will protect you. Promised. And don't be surprised if that new tax is somehow on par with whatever we paid you.
Only that you'll pay that tax annually."
Don't fuck with governments, they have a way to get back at you.
I was prepared for WW3 to be fought over oil, over water, over arable land... but never over people wanting to watch their show without having to put up with ads.
Well, the Netherlands don't have capital punishment and they are generally known to play by the rules.
There is a reason that lawsuit is brought up there instead of, say, Russia. Or Turkey.
Hey, don't be unfair. Reefer Madness is a hoot and a half, I've rarely seen such a good spoof of a government scare bear public announcement.
Yeah, yeah, the media cartels jumped the gun again, what else is new?
They'll just withdraw for now and wait for that law for parasites to become reality.
Doesn't work. All that does is make them say "See? They're not buying our crap, so they OBVIOUSLY must be copying it!"
I've been boycotting the fuckers for ages now. I bet by now I'm a dirty pirate in their eyes even though most of the shit they produce ain't even worth the bandwidth it would take to download it.
That's what TTIP is for.
You got that wrong. You're supposed to pay the CD tax, but that doesn't mean you get to copy.
What, you actually wanted something in return for your money? C'mon. How long have you been dealing with the content industry?
And as soon as they actually sold the "pirated" material in the country, I could actually see that argument.
But the main reason for the widespread "piracy", aside of the obvious "The Netherlands is an old seafaring nation so of course they have a pirate heritage to defend" joke, is that you, dear media industry, fail to offer what people want. Believe me, we want to buy your stuff. You're not selling. Why are we supposed to wait half a year or even longer before we're allowed to see what you have broadcast in the US or UK? And a friend of mine who is into Anime could easily triple the length of this post with the hoops he's supposed to jump through to get half of his favorite shows at all, or at least within less than a decade after they have been out in Japan.
Sell me what I want or step aside to let those that do step in!
If your business model fails, sue governments for not creating a protected space for your business.
(in short IDIOT)
Describes the user better than the product.