SOME people have their passwords on post-its? I remember a certain job I was on for the Air Farce. They had very complicated password requirements. 8 chars, upper and lower case, plus digits and special chars, etc. They would run crack every weekend and reset your password if it was easy to break. The kicker to the whole thing was the little statement at the bottom of the page. To paraphrase, it said - "We realize these requirements will make your password hard to memorize. Therefore, we reccommend writing it down and keeping it in your wallet or desk drawer."
Scary, no?
This was, however, a resctricted access network. As far as a general access network, I tend to agree with KM. I know that having an option to have your password emailed is great, but it still leaves some holes that may or may not worry you depending on what you're protecting.
For example:- Being able to email a password means that it's still stored in cleartext somewhere unless you're using an encryption scheme that is reversible (not a one-way hash)
- Emailing passwords in cleartext means that somebody could intercept them.
Of course, security always comes at the price of usability, so if a password compromise won't cause major damage (loss of data, credibility, life) clear text may be the best solution. | [reply] |
Being a member of the Air Force Reserves as well as someone
who actually sits in the Base Network Control Center and
changes passwords for people, I can honestly say that I have
NEVER told anyone to write down their password. However, you
are quite correct as to the requirements for our passwords,
which are minimum 8 characters, using uppercase, lowercase,
special characters, and numbers, and you need to use at least
three of the four categories in your password.
For me to actually change your password, you would have to come
to the NCC in person, and present your identification card. At that
point, I would instruct the person as to what the password policy is,
and let them type in their own new password. Or if the person in question called
and is someone who I know, and recognize their voice, I will change the password,
to a generic one, then force them to change it upon logging into the system.
TStanley
| [reply] |
Which is exactly the way it should be. That's why I was surprised that they suggest we keep track of our passwords on paper somewhere. I mean, a lot of the people working were contractors, but if they can hold a security clearance, surely remembering a password isn't asking too much, is it?
| [reply] |
I worked for the State of Pennsylvania for a while in their student loan department, and the passwords we had to access the student files had this pattern:
the first letter must be a letter, the second a single digit, and the rest must be a mix of upper and lower case with one punctuation mark somewhere in the mix. Passwords expired every 30 days, and they kept track of the last 30.
Needless to say, the majority of people were not happy with these restrictions, and it was not uncommon to see someone with a sheet of paper listing all of their passwords....
| [reply] |
I'll spout some heresy. I think it is a good idea to write
many of your passwords down. But you need to strongly protect
the place where you have them written down. For example,
keep them in your wallet, written in code that looks like
a list of phone numbers, possibly just encoding the hint
that lets you remember the password.
I think this is a good idea because I think you should do
all of the following:
- Never use the same password/PIN twice (for two
different systems).
- Never use a password that someone could guess after
they get to know you or "research" you.
- Change your passwords regularly.
and if I do all of those, how am I ever going to remember
the 47 passwords/PINs that each has nothing to do with
my personal life, the account being accessed, or each other
while forgetting the completely different set of passwords
I so painstakingly memorized last month?
Now, the password to my top-secret security clearance
account at the Air Force, that one I'd just memorize!
-
tye
(but my friends call me "Tye")
| [reply] |