Previous Entry Share Next Entry
A lovely indictment of modern password practices
Just came across this ruefully funny story on Ars Technica. Summary: a French TV station got hacked, and it looks like it may have been because they interviewed one of their employees -- who had his passwords on a sticky-note on the wall behind him.

The worst part is, this is totally unsurprising. Much of corporate IT has promulgated idiotic practices (eg, requiring you to change your password every eight weeks) that leave the typical user with little choice but to do dumb things like this. It's long past time for companies to wake up to the fact that this is a problem...

  • 1
I read a suggestion once that people ignore the complicated password rules and just come up with one password they can remember and use it for everything. The claim is that it would prevent occurrences like the example you give above(posting it on a wall).

Well, keep in mind that that isn't *possible* in these corporate environments. It isn't a bureaucratic rule that you have to change your password every eight weeks, it's programmatic -- the computer won't let you log in until you change your password. IMO, it's a singularly dumb policy, but it's very common, and a lot of operating systems make it easy for IT to implement.

And keep in mind that the one-password-for-everything idea becomes more dangerous the more sites you use, because a fair number of sites have poor password security. Indeed, hackers count on that: once they break a weak site, and steal a lot of passwords from it, they will often then go on a spree, trying the same email/password combinations at lots of other, often more-important sites. (That's *why* they attack the weak sites, to give them password combos to use on the strong ones. Their holy grail is finding a password combo that works for a small business' ACH account, which they can then make serious money off of.)

This is why I tend to advocate high-security password vaults like LastPass or KeyPass: you have *one* complicated and hard-to-break password that opens the vault, and is never used for anything else, and inside the vault you keep randomized passwords for everything else. It has a single-point-of-failure danger, but security is these folks' entire business, so they have a lot of interest in being as robust and secure as possible...

At my last company, the half-dozen corporate systems I had to interact with had conflicting password rules; it was not possible for a password to satisfy all of them. Some, for example, had maximum lengths that were fairly short (dumb!), and some did not allow most punctuation.

I keep a text file of password hints. Not the actual passwords, but the clues that will remind me of which style of password I used and any site-specific rules that affected how I constructed it. Essentially, I keep my own private "password reminders" list.

Doing LAN support for my current employer, I have had occasion to learn the password for most of the employees in the office at one time or another. With only one exception, they pick a password, often a bad one like a combination of their kids names, and add a number to it. Then when they're prompted to change their passwords, they increment that number. It's a system that passes the automated policy checks, but would be screamingly insecure if any former employee was trying to get into someone's account. Given how many layoffs we've had in the past year, and how disgruntled some of them were, it's a minor miracle we haven't had a problem.

Yeah, common problem -- enough so that I've noticed a fair number of places auto-detect this increment-the-number game, and declare that the new password isn't sufficiently different from the old one. (Which is a simple string-distance comparison -- actually much easier than, eg, some of the stuff I did on the Order of Precedence port.) At which point, the sticky notes become inevitable.

Of course, if IT *needs* the passwords for users, the system has been mis-architected from the beginning -- that should not only never be necessary, it should be absolutely forbidden. Sadly, though, it's not unusual...

It's entirely possible I could do configuring peoples email, setting up printers, and so forth without being logged into their account. I'll freely admit I'm a very half-*ssed excuse for a Windows administrator. I'm faking it based on years of Unix admin experience, a Windows NT admin course in the late 90's, and Google. It's not what I was hired to do. If my employer was smart they'd get me some formal training. OTOH, if they were smart, they wouldn't have decided 70% of corporate IT was overhead and unnecessary last year...

  • 1

Log in

No account? Create an account