You say I mustn’t write down my password? Let me make a note of that My desk-side wastepaper basket is full. OK, sure, first world problems and all that, but it’s 8am and I have only just walked in to the office. Why would my bin be full? I haven’t put anything in it yet. Despite being full, this bin does not contain what an office bin is supposed to contain: there’s no half-full coffee cup, …
Read out over the phone?? good god , that could be anybody. At The last place I worked at IT managemers decided that to cause maximum disruption to work flow, idiots forgetting passwords would walk to the helpdesk in person to receive their new one in order to prevent vague data protection / security blah blahs.
and what are you doing still having individual bins? you are supposed to have 3 large different coloured recycling bins per floor! was this in the 70s? were the astrays emptied?
But have there not been some massive security breaches when kids get the IT/support phone number and say they need reminding of their password?
Oh and this just happened (though not password related) : http://www.theregister.co.uk/2016/03/11/bangladesh_bank_cyber_heist_1bn_dollars_nearly_stolen/
That cartoon made a very good point actually. Sentences are easy to remember but would take a long time to break in a dictionary attack. Many password policies enforce a maximum length limit, and insist on mixtures of upper/lower case, numbers, punctuation etc. Combined with the fact "single sign on" is still a distant dream in many workplaces it is no wonder people find it hard to keep track of all their passwords!
I can't either but it's logically true. I think the solution is two-fold:
1. User chooses long passphrase that they *will* remember (preferably from deep in the psyche so not too social-engineerable) à la correcthorsebatterystaple.
2. Trick-out a couple of characters in a non-obvious way (no 13375p34k) and keep *just* that info in your wallet with the other shit you really value, not stuck to your monitor (thanks Bruce Schneier). You'll probably find you remember where they go before long and won't need the note.
NB. This is not what I do for anything I'm real paranoid about protecting, but I have a good memory for such things. Many aren't, for whom it's all about breaking up the attack surfaces.
More salient NB. Any non-trivial password-protected system should have a limited number of "strikes", then brute-forcing is not an option and we can all have (fairly) crappy passwords anyway. Whether the appropriate response to genuine forgetfulness is resetting the passphrase or simply nuking the protected vault (at cost to the forgetter's pay-rise, career, liberty...) is application-specific.
"More salient NB. Any non-trivial password-protected system should have a limited number of "strikes", then brute-forcing is not an option and we can all have (fairly) crappy passwords anyway."
The problem with auto-lockouts like that is that it makes DoS trivially easy. If you can get the username of an individual/group/company (something like a staff directory and knowledge of how they construct their usernames) you can just spam any online login with shit passwords* and lock out the legitimate users.
Scripting something like that is fairly simple and it would give the IT dept a massive headache and generate enough ill-will to cause some serious bollockings. And if they use single sign-on you've just locked them out of all their systems...
* Obviously, if users actually have shit passwords then you'll accidentally crack some accounts open.
The problem with auto-lockouts like that is that it makes DoS trivially easy.
And auto-lockout has little security value anyway. Brute-force attacks are rarely made against the login mechanism, and can be mitigated by throttling attempts with a small delay. Auto-lockout only prunes a few rather small branches of the attack tree: where the victim has chosen a guessable password and the attacker has sufficient knowledge to try probable ones, for example, or where the password space is far too small.
Successful brute-force attacks are almost always offline attacks - they happen when the collection of password verifiers is exposed. Auto-lockout has no relevance then.
Auto-lockout also fails if the attacker doesn't care who the victim is. Back in the late '90s, it was common for banks to use account number plus a numeric PIN for online access. So researchers demonstrated an attack where they picked a PIN at random, then varied the account number until they got a hit. Lockout doesn't do shit for that attack.
Lockout is one of those fairly idiotic policies that's still around due to a cargo-cult security mindset among people who either don't want to do real threat modeling, or don't want to ever drop pointless policies for political reasons.
What auto-lockout does do is discourage long, strong passphrases and encourage writing down passwords and password hints. It weakens password-based security systems - it doesn't strengthen them.
Of course, the person you're replying to, who recommended lockout, also wrote that the previous claim (breaking a passphrase composed of a series of words "is straightforward") was "logically true". If you take security advice from someone whose expertise is of that caliber, you get what you deserve.
> Actually breaking a password made up of a sentence containing several words is straightforward - random letters, numbers and non-alpha characters are much harder. Can't remember where I read that though...
It's probably good you can't remember where you read that because it is bad advice. Your password strength is log base2 of alphabet size to the power of the length of the password. Bigger is better.
For example, consider a 4 digit PIN for an ATM card. The alphabet size is 10 (0 through 9) and length is 4, so the strength is log2 of 10^4 = ~13 bits of entropy
If you jump to say a 10 character random password, we have to agree on the alphabet first. Say 26 lower case + 26 uppercase + 10 digits + 30 symbols (the ones I can easily type with my keyboard here) + 1 space = 93. log2 of 93^10 gives ~65 bits of entropy.
Now consider a password made up of 4 randomly selected words**. In this case, it is disingenious to consider the alphabet to be the same size as the random password (although in practice it would require the attacker to know that you didn't use such symbols). Let's assume they know your technique for the minute, and let's assume English only for simplicity, and lets assume you capitalise the first letter of each word. In this case your alphabet is about 350,000 and your length is the number of words you use. log2 of 350000^4 gives ~74 bits of entropy.
So RinseBubbleOvalBounce is ~500 times harder to crack than GV45#5kd3;
Both passwords offer excellent protection, but I know which one you would have to write down.
**Of course if the words are not chosen at random (eg a verse or quote or meme or something) then it will be no more secure.
We had a clear desk policy after a little incident at the office block where I worked.
http://www.highrisefirefighting.co.uk/cstelstar.html
We were based on the 6th Floor (the fun started on the 7th). What was very noticeable was that the stuff that was in cupboards and desk drawers etc survived. Stuff that was on desks was water damaged and, in many cases, had sprouted quite a lot of green hair and possibly some new antibiotics - as it was a few days before anyone could get safe access to recover it, and there was a lot of moisture in what was for some reason quite a warm building ...
Thanks for the link, I can actually use that at/for work!
IIRC the 'Clean Desk Policy' was started by the consulting firm Kienbaum*, at least over here in Krautistan. Old Mr. Kienbaum himself would prowl the offices at night, accompanied by a janitor armed with a very large bin bag. On a related note, Jil Sander doesn't like potted plants in her offices, so all the windwsills are slanted at a very steep angle.
* Think 'McKinsey' if Kienbaum doesn't ring a bell. A consultant by any other name, etc.
"Old Mr. Kienbaum himself would prowl the offices at night,"
Back in the 1960s a new head of the computer division was appointed from the washing machine division. He had a reputation for being a "hard man".
He started to walk round the computer factory at night asking questions about what people were doing. Now a man in a suit at that time of the night is likely to be senior management. People had been used to the previous head man doing that - it gave a sense of "family" and he was genuinely mourned on his death in that post. So people answered the new man's questions. The next day he fired them for breaching security.
Around here all a clear desk earns you is being the ground zero dropzone for all the incoming parcels of parts and stuff that reception bring in and just dump on the closest available area, even if they have nothing to do with you nor are you the intended recipient on the address label.
This does of course always occur just prior to a SMBWA ("safety management by walking around", or colloquially "some muppet bloody wandering aimlessly") audit, most commonly when you're out of the office on the customer site actually doing the work that keeps everyone else in employment and wages.
The trick is of course keeping your desk cluttered enough to dissuade the above (and to appear that you actually do some work), but not full enough to incur the wrath of those with nothing more profitable or useful to do than make such audits.
And Dabbsy hopes "the clear-desk policy could be revived for the digital age"?
WTF is he on? There's more than 30,000 unsorted emails in my inbox archive, and I can find 99% of what I want in moments. I live in fear of some tidy minded, cost obsessed twat deciding that email archives are too expensive, and putting some shitty, arbitrary limit on the space I can occupy (saving a few pence a year per employee, when my total costs of employment are, well, quite a lot.
The example I use is the Buncefield oil depot fire at Hemel back in 2005
True story - an old friend of mine worked for 3Com in their building on that campus, and had been made redundant mere days (IIRC) before the fire. The building he worked in was significantly trashed by the explosion.
Afterwards, we gave him no end of ribbing along the lines of "sheesh, most people would have taken their redundancy pay, chalked it up to experience, and moved on with their lives. You had to take it more personally, huh?"
Our work has a clean desk policy. I stop work ten to five now and tidy my desk, its great I am out exactly the time work finishes, also I get a nice few minutes in the morning digging out all the important stuff that was nicely laid out on my desk and arranging it into the "mess" it was the day before.
I remember a great story in one of the Dilbert newsletters that Scott Adams used to mail out.
A clean desk policy was introduced and the Boss said that, owing to the lack of compliance, the cleaners had been instructed to remove all paper from desks at night and deposit it in his office. Anyone wanting their shit back would have to come and beg for it and also explain why it had been left out in the first place.
The result, of course, was that his office gradually filled up with waste paper that nobody wanted. Leaving it lying around for the cleaners was so much simpler than getting up and going to the recycling bin......
Heh - it took a break in, where the baddies attempted to disguise their work with a fire to convince my boss of the usefulness of off-site backups of both hard copies and electronic data. In some instances several years of work on a project were stolen or destroyed by the arson fire.
I had a management type tell me that I should leave my desk clean back in the '80s, and that I shouldn't handle a piece of paper more than once. My response (since he wasn't MY manager) was that anything that required handling more than once wound up on my desk, and that if a cluttered desk signified a cluttered mind, then what did an empty desk signify?
If they were doing it right they'd just swap all the notes around with those stuck on other random monitors around the place (which may or may not have had password post-its on them themselves originally), and then watch as people have to track down their own passwords and some of the ensuing bartering and bastardry that goes on.
Brings back all-too distant memories of schooldays, when the foolish comp-sci master gave me admin privs on the server. Two others in the class (who hated one another) found out and spent days pestering me to give them the password of the other. So I duly did - I swapped them over and just told each that they now had the others password.
Cue a Mexican stand-off that the whole class enjoyed, including the master who was going to bollock me for doing it but couldn't keep a straight face long enough to do so, and then privately told me it was one he'd use himself in similar future situations.
>swap all the notes around with those stuck on other random monitors around the place (which may or may not have had password post-its on them themselves originally), and then watch as people have to track down their own passwords and some of the ensuing bartering and bastardry that goes on.
Only works if everyone's sticky-note also includes their username; and if usernames are difficult enough to forget, then you need either a new IT Div (if they imposed them using any system that wasn't "Your Full Name [Plus An Incremented Integer If Required, hello El Reg]) or new users (if they chose their own and can't remember them).
Or everyone knows each other's handwriting well enough to forge each other's company cheques, in which case you may have bigger problems down the line...
Sticky notes are for wimps. In my earlier days (when many users still had proper terminals, not these "computer" type thingies) I found out by accident that a user had actually physically carved his password in the terminal keyboard. Upon questioning, he found this suffiently secure since people didn't know his user name (which was, at the time, his first name, same as with everyone else. small company).
This password wasn't changed for years, so as a test we replaced the keyboard with another one, with a similarly carved but different password. Next day he was locked out. The mind boggles.
And no, he wasn't sacked. Senior management. Luckily very senior, he retired soon after that.
I have a friend who can't remember his wife or kids' names, drives him nuts but he just can't do it
There is an XKCD cartoon for that too (one of my personal favourites) :).
The new password carved was similar in nature, as in number of characters. Other than that completely different. So not just substituting E for 3 or L for 1. I know of people who have difficulty remembering things, but in the case of your friend : even if he couldn't remember his wife was called Maggy, I assume he would still know you would be incorrect if you claimed it was Linda. At least that's what my experience is. You might not remember a word, but you know what it's not when questioned. And even then : in the case of a password typed in daily, something feels "wrong" when typing in a different one if it changed (does with me anyway, some kind of physical memory I guess).
I was my boss' PA & he kept HIS desk clean by moving it all to MINE instead. All the fat file folders with hundreds of pages of legal print outs, all the faxes & printed out emails that he "needed to keep handy", all the memos & notes either generated by him or left on his desk awaiting his attention, he would shovel it on to MY clear desk in order to free up his own, thus leaving me with a metric fekton of crap to organize just before leaving at the end of the day.
That fat bastard would then bark at me to retrieve the stuff he needed because HE hadn't organized his stuff, he'd left it to me to find a place to file it instead. Fine, that's my job after all, but damn it was it necessary to do it 5 minutes before closing after I've finished cleaning up my own mess? Now I'm stuck doing his stuff after hours while he buggers off to his car & whatever life he had outside work.
Passwords on sticky notes? That turd expected ME to remember all HIS passwords & would snap his fingers demanding to be told what the latest one for whatever program he was in at the time. Did it ever occur to him that ME having all his passwords was EXACTLY what all those warning emails from IT were about & that he was in fact violating corporate policy? Not on your life. I'm just a lowly PA after all, I can be trusted to keep his boss' secretes, right?
Yeah, right up until I "accidently" get all your passwords reset by calling up IT myself & asking sweetly could they PLEASE reset my boss' passwords for me "as he's going to need this report done before he gets here this morning & I can't get into his files for the data I need to complete it"...
Oh lookie, Boss gets a call from the head of IT chewing him a new arse because he shares his passwords with other employees in clear violation of the rules. PA's fault? Nope. PA's just doing what the Boss ordered them to do. It's the Boss' fault for sharing the passwords in the first place.
Hey, is that the now EX-Boss leaving in a huff? I suppose this new guy is my new Boss then?
Oh my, he's just asked me to keep track of his passwords for him...
*Sigh*
Damned clear desk policy.
"Hey, is that the now EX-Boss leaving in a huff? I suppose this new guy is my new Boss then?"
Trouble is that only works half the time. The other half it's the IT guy out the door because it turns out the one violating all the rules is also on the board.
"5) TheBossisaBarsteward2016"
We were once asked to set up an internal questionnaire about IT services for an organisation, in which we asked for user email addresses so they could get the results of the survey. But the head of IT didn't like it. So he instructed staff that they were not to supply their real email addresses in the box.
Some people in the IT department, however, wanted to get the results as they suspected their boss wouldn't tell them the truth. So they set up some special addresses for themselves.
XYZisamuppet@
XYZisauselessmuppet@
and so on.
We naturally redacted the results before passing them on. He was then less than pleased to realise that the results were now anonymous, and that some of them had diatribes about his competence in the comments box.
One of our C level went round the office (well, customer care) at 1830 one day and implemented the clear desk policy by piling everything up on a trolley and locking it in a cupboard. He was warned off the R&D area, luckily. Unfortunately managed to unplug switches, wifi routers, PBX equipment... Left the company two days later. Still don't know if the two were related...
Radio Shack / Tandy had a solder-it-youself kit for the acoustic coupler's electronics, and a pair of headphones made a good combination of microphone, loudspeaker and rest for the handset, with some tinkering. Good enough to connect a C64 to a bulletin board...
Yes, I had one of those too, when I had to lug around a "Silent 7000" teletype.
Not silent. only semi-portable. Slower than spelling stuff over a phone sometimes, and required a "standard" handset that was not standard at the time, so one of those had to be carried around too.
Would it save time if I just agreed yours was bigger?
Generally speaking, if an attacker has access to your physical desks, you've lost already.
So maybe the problem is accidental disclosure of passwords via photos/videos on social media or otherwise... in which case passwords in a notebook should be fine.
However what appears to be needed is an office single-sign-on and integration into the services that all require separate passwords at the moment.
Let's not mention the placement of passwords and other sensitive information in standard waste paper bins rather than secure disposal units.
We have had a global ruling in all our offices of no use of cameras of any type, including those built into phones, laptops etc.
About a couple of years ago, they decided to switch from BBs to Smart Phones, which are Android, and come with a built in camera, which we have to use for expense claims (Concur).
So doing your expenses in the office, is officially breaking the rules (rules that everyone just ignores now anyway!).
In the last 6 months, we've migrated from Lotus Notes, to Office 365, including Skype for Business, and are now being encouraged to Skype people, including video, rather than phone them.
I checked, the security policy, is still states no cameras in the offices!
Nice to see the corporate world is in sync between departments!
Password Manager Application.
One password will have to rule them all so make sure it's not something obvious like your name, your pets name, your address or your favorite sports team, etc. Don't use a cloud service, if they get cracked and/or accidentally release millions of stored accounts to the world+dog then you have to change everything.
I learned a valuable lesson at one site very early in my career. The techs would write down the passwords on bits of paper, then they started finding developers getting more access to things they shouldn't. Turned out the devs would turn up late, stay late to prowl Ops techs desks looking for the "mystical keys" on scraps of paper!
At the time I bought a memory study course, studied it and learned ways to remember around 50-60 separate passwords at a time. Sadly old age is catching up with my knackered old brain and I now rely on one of those mobile phone password safes.
Way back in 2000 I worked for a computer company where one of the pointy haired bosses decided on the spur of the moment to implement a clear desk policy in a rather "provocative" way.
Returning one morning from an off-site meeting the previous day, I found my laptop had mysteriously disappeared.
This was the opportunity for said PHB to loudly deliver a security lecture to the whole office*, before grudgingly giving me my laptop back.
However, I guess the look I gave him was clear enough, as he didnt try that stunt with anyone else.
*nobody, but nobody, in the entire company locked their laptops away overnight, or used kensington type locks, because there was card-controlled access to the building, and all bags were searched on entering or leaving
Card Controlled Access I find are usually crap, they mostly just magnets and most companies don't spend enough to cover all the doors.
So queue someone going into the office pushing a side door which should have been locked, turning a fuse off to several others and stealing a crusty old server (Brand new one above it was left???).
Anon because no one likes to talk about that here.
Card Controlled Access I find are usually crap, they mostly just magnets and most companies don't spend enough to cover all the doors.
Card access and CCTV notwithstanding, a couple of years back a bunch of thieving scrotes just heaved a pavement tile through a ground-floor window, and made off with a bunch of laptops.
Most of them not being locked.
And one of those being the security manager's.
Card access doesn't stop the insiders. We had bunch of the old 19" CRT that weighed in at about 75 pounds (35 kg) taken. Brand new and in the box so you know this some years ago. A manager came in late one night to pick up something for an early off-site meeting and found the security guards loading monitors into a van.... Who watches the watchers?
"This was the opportunity for said PHB to loudly deliver a security lecture to the whole office*, before grudgingly giving me my laptop back."
This was the point at which you should have said "So that explains it. It was running the remote server for the client demo...."
An unexpected double-meaning there, one an instruction and the other a curse!
Not just colleagues though, the problem also exists for people at whom we wish to throw copious amounts of cash as an actual paying customer, something I see from time to time to my complete empuzzlement and peed-offed-ness. And something an associate has been swearing about for weeks, apparently anything to do with building repairs only ever gets a response if you have a camera crew and/or short baldy in tow.
If it's anything important a relative or workmate etc needs to access, write down the passwords, user, email, machine, website etc. EVERYTHING.
Put it with your will or something else that will not be accessible to neer-do-wells, thieves, small children and will 100% turn up if you are knocked down / heart attack / stroke / randomly shot etc.
"Put it with your will or something else that will not be accessible to neer-do-wells, thieves, small children and will 100% turn up if you are knocked down / heart attack / stroke / randomly shot etc."
I don't know if you can really do that. After all, what if the ne'er-do-well is your spouse or kin?
When I worked for MOD our password system used to be the usual "At least 10 characters long, contain at least 1 uppercase, 1 number and 1 special character" and we were forced into changing them every month and it remembered the last 10 and also pattern matched looking for similarities from previous variants, so actually it was OK and reasonably user friendly.
But then...
A random password generator was thrust upon us to make us more secure: Const-vowel-const-const-vowel-const-number-Const-vowel-const-const-vowel-const-number
So (for example): baszol4fonqit6
A random security sweep a few months after it was introduced (of our clear-desk-policy area) revealed scores of post-it notes under keyboards, inside unlocked drawers, pinned to calendars (and even, in one case, written in the corner of a little used whiteboard) - when almost no infractions had been previously discovered.
I left shortly after when they also, effectively, banned Christmas (the year I left Christmas cards (which had been previously been given a waiver) were included in the clear desk policy and weren't allowed to be displayed...)
Anon because I still have to work with some of my ex-employers at my new organisation.
Isn't that in ISO 27002? I keep mixing them up :)
To be honest, I never had a problem with it at MoD. In some jobs it's simply part of the routine. Far more amusing was the regular change of dial lock codes - we had a navy cryptologist who could open these things anyway (apparently nights at sea are really boring, so he worked this out to amuse himself) :).
I rather liked dial locks. Far more interesting than the boring modern pushbutton equivalent..
Isn't that in ISO 27002? I keep mixing them up :)
We're almost getting into Space Corps Directives territory here:
39436175880932/B: "All nations attending the conference are only allocated one car parking space" or
39436175880932/C: :"POWs have a right to non-violent constraint" ?
"we had a navy cryptologist who could open these things anyway (apparently nights at sea are really boring, so he worked this out to amuse himself)"
A former colleague once found himself stuck in a hotel for a long weekend with nothing to do except wait for a Monday morning flight..
He had a combination lock briefcase so set out to try every combination from 000 000 upwards.
He simply wanted to get an idea of how long a full brute force attack on the thing was likely to take,
So, like this?
Actually, I had a desk like that. All it took was some intelligent use of black 50x50mm cable ducts (conveniently sold in packs of 2m length - I use these a *LOT* to clean up cable messes) and it was usable for IT.
You do need to be careful in which mouse you use, though. I found that the Logitech "Anywhere MX" mouse works quite happily on a transparent glass surface.
Two civil servants explained how they handled their offices' clear desk policies.
The first used to put the contents of his desk top into a very large envelope. He then addressed it to himself and put it in the internal mail - to be delivered to him first thing next morning.
The other was fortunate in having been assigned an old fashioned roll-top desk. He merely closed and locked the roll-top before he left.
Absolutely! If someone wants me to have a secure desk, give me a rolltop desk.Covers all the requirements of securing laptops, PCs etc, and anything on my desk is secure.
If they don't want to get me a rolltop desk, then clearly the policy isn't that important...
There is always the option of the lockable workspace - I believe they used to be called offices...
"There is always the option of the lockable workspace[...]"
The office did a big refurbishment of the building - including lots of small and large cupboards for security. Site Services weren't very happy when I pointed out that all the locks had visible numbers - and a very small set of different numbers covered the whole building.
someone higher up in my I.T. dept decided to implement a "clear desk" policy by deleting without warning an unbackedup temp storage volume that was full of the rest of the I.T depts stuff. years of stuff. no warning. seriously no warning - not so much as a by-your-leave , or a casual heads up . nothing.
Please imagine the 'pissed off with flames' icon is used here
we have a tough enough job without other members of your team sabotaging your efforts
i
"[...] I.T depts stuff. years of stuff. no warning. "
We did an internal office move into newly refurbished quarters on the same site. On the Friday we left all our stuff in crates to be moved over the weekend. On unpacking we realised that all our extension cables were missing. There was apparently a new 'elf & safety policy that extension cables were now verboeten - so they had all been extracted and thrown away. That didn't help us when we arrived on a customer site with monitoring kit and needed power from a distant socket.
I once had a young American chap working for me and from time to time he needed to man the phones and perform password resets. For reasons that escape me he decided to reset one password to Mississippi but with each occurrence of "i" replaced with "1" and each of the "s" characters replaced with a "5". Rather than spelling it out letter by letter he simply told the poor lass on the other end of the phone what he had done. After a fruitless half hour on the phone with multiple attempts getting her to login it became apparent that she did not know how to spell Mississippi ...... and neither did he.
"keeping user names and passwords on bits of paper anywhere near our computers is deemed a security risk "
(...)
"One colleague even went full retard and wrote his logins directly on the surface of his desk using a permanent marker"
Well... if the new policy bans passwords on paper, then clearly the ol' permanent marker on desk trick is the way to go here. After all, if somebody gains access to the office, they'd have to lift the entire desk to get at the passwords (after all, nobody carries carbon paper around these days). Sounds perfect to me.
I write down passwords as a series of letters , each letter is the first letter of a name . A line under the letter means I enter the last 3 letters of that name , line above , the first 3 letters . If any letter is circled , the whole name . Will also include birth years , first letter of name followed by Y . Line under the Y , means last 2 digits of year , circled means whole year .
I only memorized 3 passwords in all my life. I cycle between them, and combine them with mnemonics to create new ones.
I just need an qwerty standard keyboard to remember all of them. The others are written under the battery of my cellphone, in a stamp that looks like a repair shop note.
I had some problem after I traded the phone for one that cant remove the battery...
I remember watching a news item a few years ago where they were interviewing Inspector Knacker of The Yard over some incident, over his shoulder in the background you could see a terminal on a desk and written above it on the whiteboard in HUGE letters was :
Username: PCPlod
Password: hefelldownthestairsyourhonour
(names changed to protect the guilty)
Anyway in the interests of reporting accuracy I tried to track down the actual incident and googled "police password written on whiteboard" and there's fscking dozens of them !!!!!!
Quite a lot of Police laptops are disconnected from any form of network to avoid tarnishing the evidential chain (e.g. burning DVDs of CCTV for passing to CPS). These don't have individual user accounts for obvious practical reasons so do have the username/password stuck to them.
They are, however, kept in locked cupboards inside secure offices inside secure buildings. And more importantly don't have any data on to protect.
1) All-uppercase passwords -- these are a pain to type on mobile phones lacking Caps Lock. Ditto passwords involving non-alphanumeric characters.
2) Websites and devices which obscure entered passwords with asterisks. No, no-one is looking over my shoulder, give me the option of displaying the password as I type it on my tiny, error-prone, phone keyboard.
In the days of Teletypes you could use backspace as a valid password character - possibly "Bell" (Ctrl-G) too.
At that time the Teletype couldn't be programmed to not echo selectively. So after you entered a password the software overwrote it many times until it was just a black splodge on the paper.
"At that time the Teletype couldn't be programmed to not echo selectively."
IME they were set up to type only what came down the line so what you saw on the paper was what was echoed back to you. So it was up to the login program to send clear text, asterisks or whatever.
My place of employment demands that a replacement password is requested by certain senior managers (of which there are only 6). Which is just great for your productivity if your password expires first thing Monday morning, you half awake fill in a new one and then can't for the life of you remember what your sleep addled brain came up with after the first coffee break. And then of course 2 of those managers are in Singapore, a third in the States, the fourth is on vacation for 2 weeks, number five is on sick-leave and number six is somewhere on the 6 acre site doing god knows what away from his computer and email and no-one can ever pinpoint just where his is NOW instead of 5 minutes ago... Oh, and the replacement password is also emailed to the senior manager that requested it, who then has to forward it to your direct manager who THEN has to provide it to you.
And then they start getting testy when you decide to use the communal mechanics account because you want to atthe very least get SOMETHING done instead of chasing your tail around all day trying to get a new password.
I remember as a student reading an article about password security that recommended, in addition to the usual mix of case, digits and symbols, the inclusion of control characters on systems that allowed that. "Wonder if ours does..." Turns out it did, for setting the password, but not when actually logging on. So my account was completely inaccessible.
-A.
I've seen that bug in customer facing sales software. Though not an IT background myself, just working customer services.
Them: "I cannot login to my account, number XXXXXX."
Me: "Oh, that's a valid number, yes I can see your name, Mrs S3mith?"
Seems our web portal took in numbers and letters, our back office and actual server running the customer policies did not. No idea how we were to fix that one. I'd have rebuilt their paperwork, but it was too much effort to get the balance transferred, so I flagged it as for the IT staff.
But it serves them right for not sanitising or sanity checking their inputs!
When I was in harness the first day of Autumn term was password reset day. Because we'd all forgotten our p/ws by then.
When I was the IT manager it meant spending a couple of hours on password resetting on the first day of each term. But at least I knew everyone. When it went corporate and they had to phone corporate IT to request the new p/w I gained a couple of hours, but since there was only one IT person answering the phone and he/she had to check credentials first, it must have taken half the day at least before everyone was back in.
OTOH a local school had a p/w reset policy for every month. No repeats of the last 6 etc.
So everyone had to get a reset in September, and around half at the start of the other terms.
Anything random is hard to remember.
So are some non-random things.
Not writing down passwords is a stupid rule. It's a superficial preventative slogan. What you really need is for passwords to be kept securely, which covers all the stupidity the article lists, such as the post-it note, but allows for the notebook in a locked drawer. How about those password-storage programs? OK if you always use the same computer, maybe OK if they work over the "cloud", but what's the corporate thinking on relying on third party services?
Yes, I have passwords written down and kept securely. I have so many, Amazon and eBay and a dozen or more accounts with other services, and then there are the banks I deal with. And because I am saying this, I am posting anonymously.
One of my banks, as part of the log-in, asks me for my father's middle name. It is on one of the standard documents about me, one for which he had to give his full name. I wasn't given a choice about the security question I have to answer.
There are some crazily thoughtless people "designing" security.
One of my banks, as part of the log-in, asks me for my father's middle name. It is on one of the standard documents about me, one for which he had to give his full name. I wasn't given a choice about the security question I have to answer.
But do they check it? Unlikely. When sites ask for things like "mother's maiden name", I use a random alphanumeric string.
I'll wipe the wine I snorted off the screen later - nicely surreal
I'm toying with using SHA1SUM(<username><MMYY>) for my user password, where MMYY is the month and year of last password change. I simply login as root on a terminal, run "sha1sum gerdesj0316" and out it pops. Copy to clipboard, switch back to the Display Manager and paste it in. Finally, switch back to the console and log out root: you can't be too carefull.
For real security, randomly change the hashing function.
>"I simply login as root on a terminal..."
>@gerdesj: does that not simply move up one step to the security of your root password? Root can (presumably) access your home drive.
>The Tramp: I'm just a clueless end user
You are absolutely correct, which was the point of my silly comment. It's hard to pitch a pretty nerdy "joke" at all levels. No need for the tramp or the self flagellation (you must be a Brit - me too!)
Mind you, my password scheme is a pretty good one, if there was a safe way of generating the hash and easily and securely getting it to the password prompt. In effect a hash of a hash of a string of characters. If you can make the transmission channel secure then the initial password could be pretty simple because a cracker would have to face the first hash as the password they have to crack and not the actual generating password. For example:
$ echo a | sha1sum
3f786850e387550fdab836ed7e6dc881de23001b
$ echo 3f786850e387550fdab836ed7e6dc881de23001b | md5sum
27f5765ef14682472b0bc02251a47381
Now it doesn't exactly trip off the tongue but a password of "a" has generated a stupidly hard to guess "password". You could use any hashing function and you could cut the result at n characters in the first step and get a completely different result in the second. Those features are in effect your password and possibly easier to remember than batteryhorsemanagedtoavoidbecomingglueatbechersbrookbolted.
As an IT pro, I have well over ~20 passwords I have to remember everyday at work and home. The average user doesn't stand a chance.
They can't even use the same one across all logons and sometimes not even variations!
Single sign on systems? Great idea but still far to complicated for the average user.
Until we get serious about user competence, they will always be the biggest vulnerability. And the only way to fix that is to educate them.
You had a formica desk? Luxery! At one site I worked on the "IT suite" was the food storeroom behind the kitchen with a laptop on the second-to-bottom storage shelf. The space between the shelving and the wall was two inches shorter than my thighs so the only way to get at the laptop was to wedge myself in a manspreading position between the storage unit and the wall and hope my blood circulation didn't get cut off.
I don't mind so much that the system at my place of gainful employment forces me to change the password every month. The annoying bit is when the system tells me that my password will expire in 14 days, and would I like to change it now? (And when I click 'no' the next day the system will ask again.)
Why the change? If the password was really, really, really good and also really, really, really secure I wouldn't see the point either. But as it is, the passwords won't be that good really and in most cases not really that secure. So a forced change reduces the chance of the password being known to too many people and provides the opportunity to set a better password.
Apart from that, it's sort of traditional by now, in a but-we've-allways-done-it-that way.
I have just written a post that contains the word 'really' ten times. I guess it's really time to go to bed now.
"If your system forces users to have "good" passwords, what is the point in also forcing them to change them every x months?"
Password-changing policies are meant to control unknown leaks. If a password is leaked but nobody knows it, a periodic changeover can make the leaked password useless unless they can find a way to establish another connection. It may not be effective against a brute-force attack where they try to get everything in one go, but for subtle operations where they're trying to sneak under the radar, a forced password change will either shut the door (if you change it first) or draw IT's attention to it (if they change it first).
Years ago I was running the local IT department for a group of Geologists (think older), and they had multiple password policies and dissimilar system requirements, thus they could not come close to a standard policy. In fact some systems would not even permit a password that another system required.
I found every single one of them writing down their passwords, and I knew this would not be able to be changed.
Thus, I produced random 12 character passwords for them, and requested that they create a 4-6 character memorized simple password. They then would pretend or append the simple password to the complex password.
That way they had a nice complex 16 character password that would be difficult for a network/digital breach, but still if someone found their "password sheet", it would still be useless for a local attack.
I have 35 username/password combos or passwords. I have a flash drive with a physical read/write switch. If I can't remember a password, the drive comes out. So far, nobody's noticed. There's also an SD card with a cabled reader - everybody knows what a flash drive looks like, not so many a reader. They only come out when I'm stumped and nobody's looking. Look, every security yob in the world is so focused on his own local security he rejects any notion that a dozen or so of his fellows elsewhere have joined him in making my life difficult. Consequently I'll subvert the jerk every time I can get away with it. I'm here to work, not make him happy, and keeping my things secure is my responsibility.
We do actually have a clear desk policy. Peoples stuff regularly gets removed and locked into our central services cupboard to await collection when someone realises something is missing. It falls down a little on fixed desks. For the most part we operate agile working, i.e. no fixed desks. But generally within departmental areas. If people have extra staff in they overflow into *spaces*. There is one or 2 departments that have fixed desks simply because their boss has enough clout to get what he wants. So where as most departments have less desks than people as some are out all the time, these *fixed desks* operate at 1 to 1, and consequently completely ignore the clear desk policy.
I have 1000+ unique passwords. many of them are very hard to type, let alone remember. I only remember my master and SSO password, that will do. Use my own Addon QuickPasswords to get at them, and encrypt that shit. And never use a computer from somebody else. If you can remember all your passwords, you're doing it wrong.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
