Long Passwords = Less Security

How crappy is your IT?

from JoeUser Forums

     For the folks who don't know : I have moved job sectors and am back in government services again. Specifically I am maintaining the TLA stacks for the Army's NIPR (just read that as internet) connected istallations. As such I have many accounts (somewhere around 100) on many different computer systems. The Army has recently moved to a new password system that requires a 15 character password with 2 uppercase letters, 2 lower case letters, 2 numbers, and 2 special characters included. Further more most of these accounts require the passwords to be auto-generated and do not allow the user to change or set their own passwords. End result? 100 15 character passwords that are written down in the top drawer of my (and every other employee here) desk.

     Many of my co-workers actually maintain digital copies of these passwords in Excel as well and even email this back to their non-work email accounts for occasional telecommutes via VPN tunnel. In short the Army has garnered far more security vulnerabilities with this policy than it closed. Previously most accounts followed an 8 character rule and allowed users to set their own passwords. This usually meant that most accounts for one user used the same or similar passwords. If you got that one password you could do a lot of damage but the likelihood of compromise was greatly decreased since most users can remember one 8 character password.

     Now every cleaning-lady we have in here after hours automatically has access to thousands of individual accounts on critical DOD hardware. Brilliant.

96,520 views 27 replies
Reply #1 from WinCustomize Forums Top
Military Intelligence

n. - oxymoron -- (conjoining contradictory terms (as in `deafening silence'))

(I did a half-life)
Reply #2 from JoeUser Forums Top
Good lord that the joke never gets old... wait thats a lie, it was old for me a long long time ago....
Siege of Centauri
Reply #3 from JoeUser Forums Top
We had 4 separate systems that changed passwords quarterly, each one month after the other. Uppercase, lowercase, 1 numeral, and 1 special character had to be used. If you used the wrong password more than 3 times in the same day, it would have to be reset by an outside IT group. It was awful, but we were allowed to make a choice. But that choice had to fall under certain patterns. You could never reuse the same word, the same number, the same special character in the same pattern again. You couldn't use the same pattern on the 4 separate systems.

It made me dizzy just writing this out, but the reality was, after months of it, you would never have to write down your passwords. It would just come automatically. Because you used your passwords on an almost daily basis, you never had to actually think about the password, your fingers would just 'remember'. The only time it became a problem is if you went on holidays. Then you were screwed.
Reply #4 from JoeUser Forums Top

It made me dizzy just writing this out, but the reality was, after months of it, you would never have to write down your passwords. It would just come automatically. Because you used your passwords on an almost daily basis, you never had to actually think about the password, your fingers would just 'remember'. The only time it became a problem is if you went on holidays.
That is true of the one password that I uses hundreds of times a day but totally untrue of the ones that don't see daily use. Once you go beyond 2 or 3 passwords even daily use won't help your fingers anymore especially when you dont get to choose the passwords at all.
Reply #5 from WinCustomize Forums Top

Long passwords can be good - if it is a phrase or saying you can remember. The size can be limitless and it never needs to be written down.

Some password policies are just plain stupid and asking for security breaches. Passwords which are impossible to remember are the complete opposite of what is required.

We don't have a policy as such, but the folks here are too predictable. I can guess most employees' passwords in just a few attempts...

Reply #6 from JoeUser Forums Top
I agree with you. I have multiple emails, and various accounts that seem to have all decided to upgrade the security. The upper/lower/number/special characters are a pain in the ass. It's not too bad, but only becuase I have a formula that I use to remember the passwords...

anything that is randomly generated.....ends up getting written down. sigh.
Reply #7 from WinCustomize Forums Top

Sounds like it's time for finger-print readers....

 

Reply #8 from WinCustomize Forums Top
retina-scanners? Saw 'em at COMDEX in Las Vegas a few yrs. ago and thought they were pretty cool...
Reply #9 from JoeUser Forums Top
Biometrics would solve the problem and avoid a bunch of written passwords.

They have the right idea as far as password construction goes, I use a similar formula for my critical passwords, but I still create a password pattern that is easy for me to remember without having to write them down.
Reply #10 from JoeUser Forums Top
I'm lucky in that I'm only using 4 systems, and 3 of the 4 have the same user ID. Not sure why they decided to change it for the 4th, but alas, so sayeth the government lords. I'm able to have the same password, that I choose, for 3 of the 4, so that isn't too bad either.

But, I ALSO have to log into about 10 different online databases, analysis tools, and community pages. And each of these, because they are created/maintained by some different entity, have different password requirements. Like you, the 2 or 3 that I use daily are no big problem, but the others that I only use occassionally, are a pain in the ass.

So, like you, I have a little cheat sheet with all of my passwords on it. I hate having to do it, but after I got locked out of a couple of the tools, and had to call "somebody" to get it unf*^ked, I have resorted to weak security.
Reply #11 from WinCustomize Forums Top
I wonder if having a "multiple-password" system would be any more secure. It would certainly be more operator-friendly. I use and can remember 3-4 8-character passwords fairly easily - I usually base them on something memorable I've read or some bit of remote personal history nobody else would be likely to know or guess, often using differing sequences of a set of 4-character blocks. It would be a little bit of a pain, but having to input 2 or 3 different passwords in succession would make the likelihood of compromise pretty low, I would think, since they wouldn't need to be written down anywhere. I'd think you could use the same set of passwords for multiple systems fairly securely if that were the case.

Then again, fingerprint or iris-scan technology is getting to be pretty inexpensive. But, I've always wondered how a system is authorized to recognize the "first" one - the "keys to the keys" problem.

My brain is starting to hurt so I'll quit now.
Reply #12 from JoeUser Forums Top
I've never understood the mentality that auto generated passwords are more secure. While certain people have suggested keeping PW's in a folder with an inconspicuous name, if they're written down anywhere, they can be easily compromised.

Bottom line: if someone really, REALLY wants into your somputer, they're getting in. The only way to make the Internet more secure would be to make it less convenient.
Reply #13 from JoeUser Forums Top

We have the same thing at my work (not hundreds thankfully, but about a dozen).  We are forced to change them at 30, 45, 60 and 90 days!  And none talk to the others, so yes, I have to keep them written down! (just not taped to the bottom of my KB).  They think they are being so secure!  No, just jacking off and smiling that they are APA compliant!  In point of fact, they are far less secure than if they did not have an expiration policy!

Reply #14 from WinCustomize Forums Top
This so reminds me of the "bosco" thing from Seinfeld.

I really wonder why in a DOD facility you're only using passwords alone and not key files or something else? I'd like to believe that it's because the data at your disposal isn't deemed as highly sensitive but, I'm not that naive.
Reply #15 from JoeUser Forums Top
really wonder why in a DOD facility you're only using passwords alone and not key files or something else? I'd like to believe that it's because the data at your disposal isn't deemed as highly sensitive but, I'm not that naive.
Actually to access the source machine you need to have a CAC, password, and a physically separate RSA key generator. Not so for many of the remote machines though.
Reply #16 from WinCustomize Forums Top
I for one am surprised that biometrics aren't in place & used in a military facility that holds the type of confidential data that you're talking about. Technically long passwords are great for security, the breakdown is when you have people writing them down on paper, saving them in excel files and emailing themselves this account information.

We've been using biometric scanners at our work for almost a couple years already and I personally love it. My latest machine is an IBM Stinkpad T43 and it has a biometric fingerprint scanner in the lower right corner of the keyboard area. Once you've enrolled your fingerprints on your machine (you can do just 1 or all of your fingers on both hands), logging into your machine or on to a network domain is a snap (or swipe as it were). You can even export the fingerprint profiles to another machine so that you don't have to go through the fingerprint enrollment process on every machine you use.

I think it works great, it's quick and very practical.

I heard someone mention retina scanners, don't know where they would fit that on my laptop or desktop machines - I wouldn't be crazy about a usb device with a cable that I'd have to lug around with my machine either.
Reply #19 from JoeUser Forums Top
Randomly generated passwords, of any size and pattern is just plain bad news. Keeping the same size and pattern requirements would be smart, but allowing the user to generate the phrase or word is the only way to go. The next step is to train a person on how to generate a password using those requirements so that they remember the password. If the passwords are stored in your desk, your security team is not doing thier job. And if the "cleaning" crew is peaking at them, both the security team and the cleaning crew is not doing their job right!

Reply #20 from WinCustomize Forums Top
"15 character passwords that are written down in the top drawer of my (and every other employee here) desk. Now every cleaning-lady we have in here after hours automatically has access to thousands of individual accounts on critical DOD hardware."

come on...with all due respect you mean to tell me that you cant memorize 15 characters? Military Intelligence! OK!
Reply #21 from WinCustomize Forums Top
The next step is to train a person on how to generate a password using those requirements so that they remember the password.


or maybe the next step would be hiring people who can remember 15 character passwords...lol
Reply #22 from WinCustomize Forums Top
I feel your pain, greywar. From your avatar, we may very well be in the same place (igotcha).

Don't forget that you also can't use any of your last 25 15-letter passwords, so you alxo have to keep a complete record of them. Not just army though...it's DoD-wide.
Reply #24 from JoeUser Forums Top
"15 character passwords that are written down in the top drawer of my (and every other employee here) desk. Now every cleaning-lady we have in here after hours automatically has access to thousands of individual accounts on critical DOD hardware."

come on...with all due respect you mean to tell me that you cant memorize 15 characters? Military Intelligence! OK!


Skinhit, I can't tell if you are trying to be sarcastic, but just in case your simply being an ass, you did read the part where he said he has to deal with 100 different 15 character passwords?

And because I seem to have left my funnybone back in 2006, I'm going to add to the comment that your attempt at sarcasm (if that bit of lameness was an attempt) fell short of the mark, or looking at the criteria you seem to deem needed to work for DoD, you are more than qualified to apply.
Reply #25 from WinCustomize Forums Top

We've been using biometric scanners at our work for almost a couple years already and I personally love it.

My uncle had a business providing a database/info of credit-worthiness of people....this is years ago, before the upsurge/advent of bankcards/credit cards, etc.

He eventually went from paper-file to computer...back around 1973.....needless to say it wasn't some 'PC'...but a monsterous bugger from Honeywell ...magnetic tape...own room....positive ventilation...no sprinklers....but it DID have a fingerprint [or maybe palm-print] reader to access the room.

Ain't nothin' new in the world....