U.S. CitiesCity-Data Forum Index
Go Back   City-Data Forum > General Forums > Science and Technology > Internet
 [Register]
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
View detailed profile (Advanced) or search
site with Google Custom Search

Search Forums  (Advanced)
Reply Start New Thread
 
Old 03-24-2016, 07:17 PM
 
28,607 posts, read 40,583,741 times
Reputation: 37262

Advertisements

Quote:
Originally Posted by Peregrine View Post
I don't make my end users ever change their passwords. If you really break it down, it really is kind of senseless. I make my end users make VERY complicated passwords, but they never have to change them unless our systems gets compromised (and it hasn't in 9 years).

Even my man Bruce mostly agrees with me.

https://www.schneier.com/blog/archiv...ng_passwo.html

As he points out the rationale behind the 90-expiration is that it would limit the amount of time someone could use that info to hack you.
- If someone hacks into your corporate network with stolen creds, they are going to install malware or some other such junk on your network and will no longer need access to your creds.
- If someone hacks into your bank account, they are going to steal your money. You will know right away you have been compromised.

All 90 day expiry's do is annoy end users.
30 days, 10 characters. No characters the same across 5 changes. Q#45Rvkg&* and ae%(34c~zx would not ne allowed over a period of 5 changes because there is a 4 in each.

This was the place I've mentioned before. The employees would keep written records of their past passwords (for obvious reasons), but they would tape the list on their monitor, under their keyboard, or drop them in the top desk drawer. 99% chance of discovering the current and past 5 passwords by looking in those places.

Management refused to recognize the problem.
Reply With Quote Quick reply to this message

 
Old 03-25-2016, 08:49 AM
 
Location: Cleveland, Ohio
11,815 posts, read 13,954,365 times
Reputation: 8047
Because of a 4 in each?!?! WOW. That's insane.

Quote:
Originally Posted by Skyl3r View Post
What if someone hacked in, stole the credentials and then decided to sell them? They could potentially be on the market for quite some time.
Yea, that's a common scenario. The microscopic risk of that isn't worth the headache...
Reply With Quote Quick reply to this message
 
Old 03-25-2016, 01:46 PM
 
Location: Mableton, GA USA (NW Atlanta suburb, 4 miles OTP)
11,319 posts, read 22,732,496 times
Reputation: 3895
Quote:
Originally Posted by Skyl3r View Post
What if someone hacked in, stole the credentials and then decided to sell them? They could potentially be on the market for quite some time.
Which credentials?

I need my Windows password and two VPN passwords just to get to the point where I can enter my own personal password on the servers I play on for a living. And that just puts of in a position where I can sudo su to the specific account I need. My personal account doesn't do anything.
Reply With Quote Quick reply to this message
 
Old 03-26-2016, 02:49 AM
 
24,503 posts, read 35,955,968 times
Reputation: 12847
Quote:
Originally Posted by Tek_Freek View Post
You're lucky your workplace IT department is lazy. Many places I've worked would not allow that.
I'm not convinced that it really matters that much. Unless the IT department is REALLY lazy to the point where all you need is a password to log into the network/services. Passwords play lesser of a role in today's authentication... and while it's good to have a fairly complex one that you can memorize, it's not necessary to have crazy restrictions on them anymore.
Reply With Quote Quick reply to this message
 
Old 03-26-2016, 10:19 PM
 
28,607 posts, read 40,583,741 times
Reputation: 37262
Agreed, but big business can at times be slow to catch up. I found that depended on how much control upper management insisted on having over IT. The less control the smoother things ran and the faster restrictive requirements were eased.
Reply With Quote Quick reply to this message
 
Old 03-26-2016, 10:20 PM
 
28,607 posts, read 40,583,741 times
Reputation: 37262
Quote:
Originally Posted by rcsteiner View Post
Which credentials?

I need my Windows password and two VPN passwords just to get to the point where I can enter my own personal password on the servers I play on for a living. And that just puts of in a position where I can sudo su to the specific account I need. My personal account doesn't do anything.
I need two passwords just to start the computer and get into Windows.
Reply With Quote Quick reply to this message
 
Old 03-28-2016, 01:07 PM
 
Location: Mableton, GA USA (NW Atlanta suburb, 4 miles OTP)
11,319 posts, read 22,732,496 times
Reputation: 3895
Quote:
Originally Posted by Tek_Freek View Post
I need two passwords just to start the computer and get into Windows.
Oh, you guys are using BIOS and other device passwords?
Reply With Quote Quick reply to this message
 
Old 03-28-2016, 02:11 PM
 
28,607 posts, read 40,583,741 times
Reputation: 37262
Yes. Master to enter BIOS.

One to start the OS. Then the windows password.
Reply With Quote Quick reply to this message
 
Old 03-28-2016, 02:24 PM
 
1,294 posts, read 630,030 times
Reputation: 587
Quote:
Originally Posted by rcsteiner View Post
Which credentials?

I need my Windows password and two VPN passwords just to get to the point where I can enter my own personal password on the servers I play on for a living. And that just puts of in a position where I can sudo su to the specific account I need. My personal account doesn't do anything.
You represent a pretty small percentage of users, I'd be willing to guess.
Anecdotes don't dissuade me.

Quote:
Originally Posted by Peregrine View Post
Yea, that's a common scenario. The microscopic risk of that isn't worth the headache...
This is the stance I take. I'm just playing devil's advocate.
Reply With Quote Quick reply to this message
 
Old 03-28-2016, 02:56 PM
 
Location: Johannesburg, South Africa
3,566 posts, read 1,521,267 times
Reputation: 4324
I don't like or trust password managers.

Instead I use basic alphanumeric passwords for low-level websites; and passphrases (where available) for more data-sensitive sites.

The great thing about passphrases is that by definition they should be easy to remember because the're more personal than vague passwords. The only downfall is that some sites limit the number of characters to around 12.

I also keep some passwords buried in a ebook- sometimes as part of a paragraph, or sometimes hidden in white text.

Simples!
Reply With Quote Quick reply to this message
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.

Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.


Reply
Please update this thread with any new information or opinions. This open thread is still read by thousands of people, so we encourage all additional points of view.

Quick Reply
Message:

Over $104,000 in prizes was already given out to active posters on our forum and additional giveaways are planned!

Go Back   City-Data Forum > General Forums > Science and Technology > Internet
Similar Threads
Follow City-Data.com founder on our Forum or

All times are GMT -6. The time now is 12:00 AM.

© 2005-2019, Advameg, Inc. · Please obey Forum Rules · Terms of Use and Privacy Policy · Bug Bounty

City-Data.com - Archive 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35 - Top