Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

(Guildenstern) REx2: Ethics of Passwords

by Guildenstern (Deacon)
on Aug 14, 2000 at 20:22 UTC ( #27773=note: print w/replies, xml ) Need Help??


in reply to RE: Ethics of Passwords
in thread Ethics of Passwords

SOME people have their passwords on post-its? I remember a certain job I was on for the Air Farce. They had very complicated password requirements. 8 chars, upper and lower case, plus digits and special chars, etc. They would run crack every weekend and reset your password if it was easy to break. The kicker to the whole thing was the little statement at the bottom of the page. To paraphrase, it said - "We realize these requirements will make your password hard to memorize. Therefore, we reccommend writing it down and keeping it in your wallet or desk drawer."
Scary, no?
This was, however, a resctricted access network. As far as a general access network, I tend to agree with KM. I know that having an option to have your password emailed is great, but it still leaves some holes that may or may not worry you depending on what you're protecting.
For example:
  • Being able to email a password means that it's still stored in cleartext somewhere unless you're using an encryption scheme that is reversible (not a one-way hash)
  • Emailing passwords in cleartext means that somebody could intercept them.

Of course, security always comes at the price of usability, so if a password compromise won't cause major damage (loss of data, credibility, life) clear text may be the best solution.
  • Comment on (Guildenstern) REx2: Ethics of Passwords

Replies are listed 'Best First'.
RE: RE: RE: Ethics of Passwords
by TStanley (Canon) on Aug 15, 2000 at 00:18 UTC
    Being a member of the Air Force Reserves as well as someone
    who actually sits in the Base Network Control Center and
    changes passwords for people, I can honestly say that I have
    NEVER told anyone to write down their password. However, you
    are quite correct as to the requirements for our passwords,
    which are minimum 8 characters, using uppercase, lowercase,
    special characters, and numbers, and you need to use at least
    three of the four categories in your password.

    For me to actually change your password, you would have to come
    to the NCC in person, and present your identification card. At that
    point, I would instruct the person as to what the password policy is,
    and let them type in their own new password. Or if the person in question called
    and is someone who I know, and recognize their voice, I will change the password,
    to a generic one, then force them to change it upon logging into the system.


    TStanley
      Which is exactly the way it should be. That's why I was surprised that they suggest we keep track of our passwords on paper somewhere. I mean, a lot of the people working were contractors, but if they can hold a security clearance, surely remembering a password isn't asking too much, is it?
Buzzcutbuddha (Crazy Passwords) - RE: Ethics of Passwords
by buzzcutbuddha (Chaplain) on Aug 15, 2000 at 16:18 UTC
    I worked for the State of Pennsylvania for a while in their student loan department, and the passwords we had to access the student files had this pattern:
    the first letter must be a letter, the second a single digit, and the rest must be a mix of upper and lower case with one punctuation mark somewhere in the mix. Passwords expired every 30 days, and they kept track of the last 30.
    Needless to say, the majority of people were not happy with these restrictions, and it was not uncommon to see someone with a sheet of paper listing all of their passwords....

      I'll spout some heresy. I think it is a good idea to write many of your passwords down. But you need to strongly protect the place where you have them written down. For example, keep them in your wallet, written in code that looks like a list of phone numbers, possibly just encoding the hint that lets you remember the password.

      I think this is a good idea because I think you should do all of the following:

      • Never use the same password/PIN twice (for two different systems).
      • Never use a password that someone could guess after they get to know you or "research" you.
      • Change your passwords regularly.
      and if I do all of those, how am I ever going to remember the 47 passwords/PINs that each has nothing to do with my personal life, the account being accessed, or each other while forgetting the completely different set of passwords I so painstakingly memorized last month?

      Now, the password to my top-secret security clearance account at the Air Force, that one I'd just memorize!

              - tye (but my friends call me "Tye")
        One thing that I used to, I have hence changed it now was to take a two digit number and then the name of someone that I did not know, and then a 3 digit number. I followed the pattern for 6 months and then changed it.

        One of my friends had these huge super-detailed maps of the Czech Republic and Poland and Hungary and he would pick the name of these small 100 person villages and change two letters in the name. That was always obscure. Fun stuff though.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://27773]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (4)
As of 2022-12-06 21:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?