Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

RE: Ethics of Passwords

by KM (Priest)
on Aug 14, 2000 at 19:18 UTC ( #27755=note: print w/replies, xml ) Need Help??

in reply to Ethics of Passwords

Plaintext passwords is bad! Bad Bad Bad! I think you are on the right track with sending them to a web page (email, or user agreement) which explains why passwords given to them are 'crazy' looking, and how they can then change them themselves to the more easily cracked 'favorite color' password they are likely used to. When regsitering on your site, do you have a 'Write a question to help remember your password', and 'Answer' boxes? This helps people remember their passwords, as well as 'Enter your username and your password will be mailed to you' thing. Although many users are dolts, security shouldn't be loosened to accommodate them, rather tightened to protect themselves from themselves (remember, some people still have post-it notes of their passwords sticking to their monitors). Just MO :)


Replies are listed 'Best First'.
(Guildenstern) REx2: Ethics of Passwords
by Guildenstern (Deacon) on Aug 14, 2000 at 20:22 UTC
    SOME people have their passwords on post-its? I remember a certain job I was on for the Air Farce. They had very complicated password requirements. 8 chars, upper and lower case, plus digits and special chars, etc. They would run crack every weekend and reset your password if it was easy to break. The kicker to the whole thing was the little statement at the bottom of the page. To paraphrase, it said - "We realize these requirements will make your password hard to memorize. Therefore, we reccommend writing it down and keeping it in your wallet or desk drawer."
    Scary, no?
    This was, however, a resctricted access network. As far as a general access network, I tend to agree with KM. I know that having an option to have your password emailed is great, but it still leaves some holes that may or may not worry you depending on what you're protecting.
    For example:
    • Being able to email a password means that it's still stored in cleartext somewhere unless you're using an encryption scheme that is reversible (not a one-way hash)
    • Emailing passwords in cleartext means that somebody could intercept them.

    Of course, security always comes at the price of usability, so if a password compromise won't cause major damage (loss of data, credibility, life) clear text may be the best solution.
      Being a member of the Air Force Reserves as well as someone
      who actually sits in the Base Network Control Center and
      changes passwords for people, I can honestly say that I have
      NEVER told anyone to write down their password. However, you
      are quite correct as to the requirements for our passwords,
      which are minimum 8 characters, using uppercase, lowercase,
      special characters, and numbers, and you need to use at least
      three of the four categories in your password.

      For me to actually change your password, you would have to come
      to the NCC in person, and present your identification card. At that
      point, I would instruct the person as to what the password policy is,
      and let them type in their own new password. Or if the person in question called
      and is someone who I know, and recognize their voice, I will change the password,
      to a generic one, then force them to change it upon logging into the system.

        Which is exactly the way it should be. That's why I was surprised that they suggest we keep track of our passwords on paper somewhere. I mean, a lot of the people working were contractors, but if they can hold a security clearance, surely remembering a password isn't asking too much, is it?
      I worked for the State of Pennsylvania for a while in their student loan department, and the passwords we had to access the student files had this pattern:
      the first letter must be a letter, the second a single digit, and the rest must be a mix of upper and lower case with one punctuation mark somewhere in the mix. Passwords expired every 30 days, and they kept track of the last 30.
      Needless to say, the majority of people were not happy with these restrictions, and it was not uncommon to see someone with a sheet of paper listing all of their passwords....

        I'll spout some heresy. I think it is a good idea to write many of your passwords down. But you need to strongly protect the place where you have them written down. For example, keep them in your wallet, written in code that looks like a list of phone numbers, possibly just encoding the hint that lets you remember the password.

        I think this is a good idea because I think you should do all of the following:

        • Never use the same password/PIN twice (for two different systems).
        • Never use a password that someone could guess after they get to know you or "research" you.
        • Change your passwords regularly.
        and if I do all of those, how am I ever going to remember the 47 passwords/PINs that each has nothing to do with my personal life, the account being accessed, or each other while forgetting the completely different set of passwords I so painstakingly memorized last month?

        Now, the password to my top-secret security clearance account at the Air Force, that one I'd just memorize!

                - tye (but my friends call me "Tye")

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://27755]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (4)
As of 2022-12-06 20:38 GMT
Find Nodes?
    Voting Booth?

    No recent polls found