ok... thats not fair... next time the world comes to an end... let me know first...
Printable View
ok... thats not fair... next time the world comes to an end... let me know first...
Lessee ... where was I ...
Memory ...
Yeah, that's the ticket!
Uh, where am I?
An interesting thing... as a user of a system (like the one at your work) do you care if it is compromised? It isn't your responsibility, your responsibility ends at the lowest point of either "reasonable" or the corporate policy.
If the policy requires an 8 char password and states you cannot write the password down. This would be deemed unreasonable. Time and time again research has shown that humans can only be expected to remember 7 char sequences.
How is this for some food for thought... you wallet is stolen and your password is inside. You company is breached and he attacker explains how. The 8 char password and no writing down is in effect. Who is responsible? Sr. Management. Why? Their policy was foolish, it puts undue stress on employees and efectively negates the whole password policy requirements as they are mutually exclusive under the rules of "reasonable." Now you have a system with no password protections, consequently since Sr. Management has failed to provide other safe guards, they have not upheld due diligence in securing the system.
Not only can they be sued/arrested depending on the nature of the losses, the employee who's password was stolen can also sue for being made the scapegate of Sr.Management's laziness.
So, write down your passwords, either they are too short (7 chars) to be considered adequent by the industry, or they are too long to be considered resonable to memorize. Either way, no reason to stress yourself out because someone else isn't doing their job.
cheers,
catch
you know what would be really interesting? A graph of how fast a password could be cracked agains the length and formating of the password, forexample, a time/length curve for each standard permutation of passwords, like word, words, number, Word+number, number+word, etc etc etc....this would be useful to show people roughtly how easily the standard 6 character password can be broken (and I know alot of sorry souls who use only 6 characters.)
it depends what the password is for.
For instance my AO password is not critical to my life. (Dont get me wrong, I dont want anyone to have it, but there's no grave danger that can come about from it being hacked).
What I dont understand is people who insist on using the same password (weak or strong) for every account they create. Thats just askin for it!!
There are too many variables. What speed/processing capacity is the CPU? How much RAM is available to the cracking processes? What other system process are running, which are priviledged (and could interupt your cracking process), and what else is being done on the system that could slow down the cracking attempt?Quote:
Originally posted here by Noia
you know what would be really interesting? A graph of how fast a password could be cracked agains the length and formating of the password, forexample, a time/length curve for each standard permutation of passwords, like word, words, number, Word+number, number+word, etc etc etc....this would be useful to show people roughtly how easily the standard 6 character password can be broken (and I know alot of sorry souls who use only 6 characters.)
It's like saying "wow, I wonder how long it takes to go from my house to Bum-****-iztan?" without qualifying if you're going to fly, drive, walk, travel in winter, tracel in summer, with luggage, etc.
That is a great point... and all the more reason that as professionals, we should advocate stronger authentication methods than passwords. If multifactor authetication is compulsory, many of these problems go away.Quote:
Originally posted here by catch
An interesting thing... as a user of a system (like the one at your work) do you care if it is compromised? It isn't your responsibility, your responsibility ends at the lowest point of either "reasonable" or the corporate policy.
As many people have already stated, we need to move beyond passwords - when I am auditing, it is one of the first hooks we look for. Who needs to exploit (I mean leverage the weakness of) a vulnerability, when I can check for blank or default passwords? Those are other issues I know, but I also believe our users are very busy just trying to do their job without having to remember 5-10 different passwords.
In looking to move beyond password some of the problems we have run into include: is there a technology we should use to move beyond passwords?; will that technology work globally?; is there a backup in case the system(s) governing that technology fail?; what is the TCO for doing it or not doing it (sticking with passwords)?; is there a industry standard to follow or a benchmark? And many more that I cannot recall just right now as I am trying to remember a password for something.
But... for now just use these to write down your passwords and stick them underneath your keyboard or under your mouse pad: http://www.3m.com/us/office/postit/index.jhtml
I have included a picture to show you how to do it as well.
I was asking my system admin yesterday about how she remembers all her passwords, and manages to make them difficult to guess.I only have a few to remember, so I just keep them in my head. She remembers very simple passwords such as summer or spring, but uses a system of changing certain letters into a number such as 1 for a etc. and moving other letters up the keyboard.That way she just has to remember the simple word, and her universal system.I thought it was interesting.
Passwords are accepted, they're in use, they aren't going anwyhere soon, if it was practical to use biometrics it would already be implemented
Thumb drives or USB devices were brought up....by the same person that said they could run a person over to get the info out of their wallet....erm....think about that...even if you gave employees lockers to store their 'drives' in....it's easier to 'crack' a padlock than you'd think, considering there's a maximum of only six digits to the password, as it were...or hell, since you were giving an 'extreme' scenario, just bash the bugger off.
I think it was the same person who brought up the car and thumbdrive thing that said repetition is the key...maybe it was eg, but I think that's the point people should focus on...
catch said that people can only remember 7 digits....according to studies....they were using random numbers in that test...not things like phone numbers(which would have to be extended to 10, considering the area code), or commonly used digits like a SS#, which had been brought up, repitition is key...we're all dumb sponges, make us absorb....the problem is training...and I'm coming at this from a corporate environment where training should be provided...passwords aren't going away....so training should be more intensive as far as password security is concerned...most corps nowandays have dipshits running the IT dept., and go in for a 5 minute talk about nothing that engages the employees on why they should maintain secure passwords....
...if an employee can not demonstrate that they understand why passwords are important, how to handle and maintain them in a safe way, and the basis for constructing one, they should not be employed. BTW, just for catch.... pneumonoultramicroscopicsiliconvolcanokoniosis....I think I learned that in 7th grade...not numbers, I know...still relates...I was MADE to remember that, and I still do...
Back to the original point, I think 'dude' is pretty much right...write it down, and keep it on your person....but then I would get more into the aspect of 'personal' security than he would....I live in MX. Sometimes a group of people will hassle a 'white' person coming home from their job early in the morning....being surrounding by 5 or 6 people gives one of them a good opp. to pick your pocket (not like they would know what to do with it, if they get it, had I a password in there). However, I think, and I've thought this since I was a kid growing up outside of Philly....only idiots carry wallets....maybe it makes you feel organized....or maybe I'm just weird....but you need to carry ID in your back pockets, I personally carry my passport with the DL and some papers, which would probably include my password slip, had I one, and anything monetary (CC's money) in a front pocket...but he's right, imo...write it down, put it on a pendrive, and then handle the material appropriatly....
...I personally think there is more of a chance of people quitting in a large corp. and leaving there binders laying around with passwords in it being more of a risk that a password in a wallet....but then, I'm dumb...and people like to tell me that.