Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
I work in an office setting where we have to log into several software applications in addition to various accounts to internet based databases. Additionally, there are network and hardware passwords (Windows, VPN tunnel, etc.).
Is there a particular reason why password security seems to be so non-uniform among all of these applications - so you can't create one password and use it for all systems/applications. Each has its own requirement - whether it be special characters, upper/lower case characters, number/character combinations, etc. I have literally seen people who have a paper list of passwords taped to their desks because there is no way that they could possibly remember all of the passwords they need to use on a daily basis. Who can remember that one application requires a password like P283!$horty131 and another requires P283Shorty131, and they have to be changed every three months.
There is a breaking point where too much password security actually creates a hazard because people will defeat the purpose of said security measures (by writing them down, or storing them online in a less then secure location, or by taping post-it notes to their monitors with various passwords on them, etc.).
Today I had to log into a personal account and had forgotten the ridiculous password that the site required, and so I was presented with 5 security questions I answered 2 years ago (and for which I did not know the correct answers because they were case sensitive, etc.). It seems like we have taken password security to absurd levels. Sorry just needed to vent.
It is absolutely not absurd. Although, our IT guys have told me that studies show that length is safer than complexity.
To avoid having to memorize strange collections of keystrokes, develop a physical pattern of using the shift keys and punctuation. Then start with a phrase you can remember and apply your pattern to it.
Case-sensitive answers to security questions?!?!? ... now *that* is absurd.
Is there a particular reason why password security seems to be so non-uniform among all of these applications - so you can't create one password and use it for all systems/applications.
This is something you should practice yourself especially for online accounts. Let's suppose you sign up for example.com and example.com is just a forum or whatever. Typically these passwords are encrypted in the database, that's a typical security measure and why no one can ever tell you what your password is and you need to create a new one. The password itself is the key to decrypt it. The encryption used is going to vary by the application but it's not something that is uncracakable. If someone hacks example.com and gains access to the database it's not a huge deal by itself if it's a forum like this one.
Here's the problem, many people use the same passwords on multiple accounts. Now they know what your email address is and they try the password you used on example.com to gain access to your email account. Next they browse through your email looking for what bank you use and head over to there to try the password and since the email address is often used for authentication and password changes they have access to that too.
This is why they want different passwords, if one is compromised the damage is minimized.
Quote:
I have literally seen people who have a paper list of passwords taped to their desks because there is no way that they could possibly remember all of the passwords they need to use on a daily basis. Who can remember that one application requires a password like P283!$horty131 and another requires P283Shorty131, and they have to be changed every three months
You should request to be able to use something like Keepass. This will store passwords encrypted, and allows you to automatically create very complex ones. You only have to remember one password. There is also a lot of other features like being able to attach files to password entry. This can be run from a USB stick.
Quote:
Today I had to log into a personal account and had forgotten the ridiculous password that the site required, and so I was presented with 5 security questions I answered 2 years ago (and for which I did not know the correct answers because they were case sensitive, etc.). It seems like we have taken password security to absurd levels. Sorry just needed to vent.
I don't like these becsue someone can figure them out, I don't answer them correctly and use a complex password for them that is not related to the question. Since I'm using Keepass I have no issue remembering them.
Last edited by thecoalman; 06-14-2013 at 09:55 AM..
Single sign-on with a biometric key is where things will go eventually. Just don't use a Red Rider BB gun and put your eye out or you will be locked out of your computer access. The password stuff is just whoo-ha because nobody has bothered to rethink the basic problems.
As for those security questions - swear words usually work...
I'd say it depends on the application of it.
If you have internet-facing devices that the whole world can try their hand at, the very least of security should be not using a word that can be found in a dictionary, as most brute-force attacks will typically try to connect to, say, the wide-open RDP port and simply try a dictionary attack on common user accounts until it runs out of guesses or gets bored. However, the better idea for this would be to lock down who can actually remote into the device(s) in the first place by implementing a firewall with ACLs NOT set to allow ANY/ANY, and disabling standard user accounts and not creating other standard accounts.
The necessity for really strong passwords usually exists more in the realm of systems where the transmission of clear-text (basic authentication) or simple hashed credentials could be intercepted and decrypted without too much effort. In those cases, it's a good strategy to use high bit encryption for the transmittal of credentials outside of the local network. (I know this is fairly simple because you can crack a wireless access point's pre-shared key using WEP encryption in about 5 minutes flat using Backtrack 4...) [Which is why you shouldn't use WEP, no matter how complex you think your key is]
Ultimately, I think the necessity of overly-complex passwords hinges on poor security structure if it's all that stands in the way of being compromised. However, in concert with proper security structure, a system can be very well protected in the realm of authentication. Just, it's usually other things that lead to a compromised network, which is that piece of equipment that sits between the chair and the keyboard. Because no matter what you do, you can't account for the actions of the most dangerous individuals to any network. The trusted users of it.
I'll second Keepass. Been working with it for a couple weeks with notebook and syncing with my phone. Also taking a look at Dashlane, but it's kind of annoying and somewhat removes the secure website logon as it only requires the master pw on initialization each time.
I have actually closed my account at a bank and gone elsewhere, because I refuse to play their silly security question game. How the hell am I supposed to remember, five years from now, who I said my favorite singer was? You don't get to choose you own security questions, you have to choose from their list. I went and withdrew my money. Changing the world, one bank account at a time.
When I go to ESPN, I immediately get the blaring audio of the portal video. The only way I can turn it off is to get a login name and password at ESPN, which enables me to acess their tools and defeat that annoyance. What the hell do I care if somebody guesses my "secure" password at ESPN?
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
