«
»

Not Exactly What They Were Going For

Friday, June 4th, 2004

I got an e-mail last week from the IT Department at my place of business saying that our office has decided to “get tough” about computer network security. Now, passwords have to be changed at least once a month, and you have to have at least one number in your password (preferably not at the beginning or end).

Naturally, people have trouble remembering their ever-new passwords. So, at various secretarial stations, and on various corkboards in the offices of the higher ups, you see Post-it notes that say things like “carnival8″ or “bird7bluejay.”

[cross-posted at Pieces of Flair]

Digg it |  reddit |  del.icio.us |  Fark

This entry was posted on Friday, June 4th, 2004 at 1:22 pm by Mystery Man and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

19 Responses to “Not Exactly What They Were Going For”

  1. #1 |  Chris |  June 4th, 2004 at 2:06 pm

    ahhh, security at its best. Hackers and terrorists stand no chance against us!

    Mu Ha ha ha ha ha!

  2. #2 |  Dean's World |  June 4th, 2004 at 2:09 pm

    Poorly Thought-Out Security

    I’ve been involved in computer networking for literally decades–sadly it is a field I have all but completely lost interest in–and one of the things…

  3. #3 |  triticale |  June 4th, 2004 at 2:36 pm

    Which is why I use passwords like (similar to) Mastrb8r and Peeb4ugo on the system where 8 characters, one capitalized and one numeric, changed every 90 days are required. That requirement only applies to the overall network. For the critical applications, the password is the same as the login, first initial and last name.

  4. #4 |  Kip |  June 4th, 2004 at 2:43 pm

    But wait, there’s more: In my case (a very large Swiss bank) I have a network password, a proxy server password, an email password, a human resources password, a 401(k) password, a “secure applications” password, and a remote access PIN (not to mention the passcodes for my work voicemail, work cellphone and a hotline for which I share responsibility).

    And — get this — if you inadvertently err while passwording too many times, you get locked out, which means you have to visit yet another website and enter ALL of your three “secret questions” (not just the answers, mind you, but you have to remember your own questions AND the answers!

    All in the name of efficiency and security…

  5. #5 |  Peter |  June 4th, 2004 at 2:59 pm

    I can’t even remember my birthday, now I have to remember what sites require a number in their password, which ones want a symbol and whatever other crap they can do to make my life suck more than it already does.

  6. #6 |  Sternn |  June 4th, 2004 at 3:34 pm

    Users here at our company recently had to change passwords to something not used before and had to be six characters. Quite a few people went with “123456″. Great security.

  7. #7 |  triticale |  June 4th, 2004 at 5:38 pm

    Richard Feynman wrote that he had been able to open every safe at the Los Alamos labs during the Manhattan Project. Everyone who changed a combination from the factory defaults used their own birthday or other date findable in their files. This was at what should have been as secure a location as any in the world at the time.

  8. #8 |  Jim |  June 4th, 2004 at 6:49 pm

    This begs the question: Is the greater threat to your network/computer internal or external?

  9. #9 |  Dr. T. |  June 4th, 2004 at 10:03 pm

    Thanks for relaying a perfect example of how bureaucratic idiots have infested IT departments. Security is NOT improved by frequent password changes, since users either write down the passwords or create them using simple schemes known to all crackers. These are well-known facts, yet computer security “experts” still recommend frequent password changes.

    I work in a U. S. hospital. Password changes are required (by law) every 3 months. A new password cannot be the same or even similar to previous choices. Passwords must be at least 8 characters long, cannot contain your name, and must contain a lower case letter, an upper case letter, a number, and a symbol or punctuation mark. (Egads!97 is an example.) Fortunately, our digital signature password and our two user IDs are permanent.

  10. #10 |  Danno49 |  June 5th, 2004 at 11:43 am

    As an IT professional, let me state quite clearly here that a good password and password changing policy is always the best defense. That, coupled with us doing our job, makes it very difficult for hackers to do what they like to do.

    When I see people with their passwords written on post-it notes on their monitors, I take them down and tell the person that they need to exercise more caution and choose a password based on a phrase they know and will remember, substituting numbers for letters and adding the odd symbol here and there. For example:

    I like pizza . An easy phrase to remember. This becomes:

    1_l1k3-p155a

    Or something like that.

    Another thing people do is tape a note underneath their keyboard with their password on it. I shit-can those, too.

    People, it’s really not too hard if you put forth a modicum of effort and realize that security to your data as well as your company LAN resources is critical. Don’t just blow it off like, “Ah, those IT guys are a pain in the ass for making me do this.” Speaking for myself, I take it seriously as a point of professional necessity to ensure my users that they are in the safest computing environment possible. What the hell good am I if I don’t enforce basic tenets of good practice?

    Approach the issue like your livelihood depends on it because in most cases, it does. Even if you aren’t doing top secret spy stuff, it is still prudent to act as though you are (well, don’t get carried too far away). This helps develop good habits for when you do get that cool job.

    /rant

  11. #11 |  JS |  June 5th, 2004 at 11:58 am

    Jim – It’s generally believed that more security breeches occur from within than without, although I’ve never seen data to back that up.

    Dr. T – I don’t think it’s a matter of “bureaucratic idiots,” but a genuine balancing act in IT security. Force password changes too often, and people write them down in easy view. Force password changes too seldom (or not at all), and passwords get compromised over time. Perhaps three months is a bit short (especially as mandated by law), but how long, then?

    Personally, I think that the biggest problem with IT security (or even physical security) is that nobody but the responsible department takes it seriously, so there’s a lot of complaining about “unnecessary” rules. People need to learn to take security seriously as part of one’s *job*…abide by the rules (that are there for a reason) and don’t willfully compromise the system (by, say, leaving a post-it with your password on your monitor).

    If there are multiple systems with separate usernames and passwords, that’s a legitimate gripe, but a gripe that the IT department would share, in general…they don’t like supporting multiple systems any more than you like using them. These multiple systems arise as a usual part of systems development when no centralized system exists when the systems are created, there’s no funding to create one, or some of the system are purchased. It can be difficult to get those in charge to sign off on something so expensive and strictly internal as a centralized authorization and authentication system. They may or may not take the security seriously, but it could just be a matter of best ROI.

  12. #12 |  John Holowach |  June 5th, 2004 at 7:06 pm

    Well, most of my passwords are made up of words from dead languages. It’s not only fun to say, but hard to crack!

    *thumbs up*

    John
    narphonax.com

  13. #13 |  thorn |  June 7th, 2004 at 9:26 am

    “I like pizza . An easy phrase to remember. This becomes:

    1_l1k3-p155a”

    I dunno which is worse… the fact that you think “1_l1k3-p155a” is an easy phrase to remember, or the fact you think the rest of us should agree it’s easy.

    Thank god none of the hackers are geeks, and are therefore unaware of the popular geek habit of exchanging “3″ for “e” and “5″ for “Z”. ;)

  14. #14 |  David |  June 7th, 2004 at 11:57 am

    In response to Danno49, I work on developing user interface. All too often, data security departments seem to neglect human nature, putting far too strict constraints on user passwords. THIS is what results in passwords being scribbled on post-it notes, not user laziness. The way I see it, if I can spend thousands of man hours developing a system that reflects how a user works with data, data security can place the same scrutiny on determining how its users interact with security. If the process is too tough, it will backfire. Spend a little time understanding the users, not just security needs, and figure out something that works in the real world, not just on paper.

    And here’s an excellent article to read on the subject: http://www.asktog.com/columns/026Security.html

  15. #15 |  David |  June 7th, 2004 at 12:10 pm

    And here’s a follow-up article.

    http://www.asktog.com/columns/058SecurityD'ohlts.html

  16. #16 |  JS |  June 7th, 2004 at 12:20 pm

    John Holowach – That may work alright, but if you just use a single, unaltered word, it could be a simple matter of the cracker having the right dictionary for their password breaking program. It would still be better to include changes in case and punctuation, as well as a number.

    thorn – Your concern about the predisposition of hackers to perform common letter -> symbol substitution is not unfounded, and there are dictionaries that work on those substitutions. The password that Danno49 offered is probably alright, since it’s pretty long and uses multiple words. It’s probably sufficient to take two short words, concatenate them, change some case and intersperse numbers and punctuation:
    cat dog -> c7aTdO.g

    Another reasonable method is to memorize a sentence or phrase from a book or speech, and use the first letter from each word, with some different case letters and numbers and/or punctuation. Just make sure it’s not too famous or, say, on a poster in your office or anything.

  17. #17 |  JD |  June 7th, 2004 at 4:30 pm

    One point which no one has mentioned: while users’ habit of writing passwords on Post-It notes is a real pain, at least there is no RPIAC: Remote Post-It Access Protocol. Choose “abc123″ as your password and every cracker from Peoria to Beijing will be able to get in; choose “4;iA{fG3″ and write it down, and they have to have physical access.

  18. #18 |  JS |  June 7th, 2004 at 5:34 pm

    David – The problem is that human nature != acceptable security (at least in many instances), as we tend to choose passwords that can be easy to guess. As a community, IT security has worked to make the password selection process easier, by providing “helpful hints,” as Danno49 and I have done, but that doesn’t abate the base problem.

    If we want to talk about abandoning the password mechanic altogether, that’s fair enough, but I think that, of the 3 main authentication methods (something you have, something you are, or something you know), it’s the easiest to use and design. The alternatives require more, specialized equipment and suffer from altogether different problems. Something you have, like a key or a SecurID card can be taken. Something you are usually requires on biometrics of some sort, which many people object to.

    I guess, of the two (strict password rules with post-its or loose password rules with easy to guess passwords), we may still be better off with the strict policy…at least you may be limited to people with physical access, then.

    As to arbitrary limits on password choice (fewer characters, some characters not allowed), sending password confirmations in cleartext, or to lack of a centralized authentication method (which Tog speaks to, although he doesn’t call it that, directly), I can do nothing but agree. The first two are just silly…nobody should design such a system. Concerning the latter, however, I can only restate that these schemes usually aren’t engineered that way, but evolve over the course of systems development in an institution, either because systems were purchased and are not easily integrated into a central authorization structure, or they were developed in-house without a central structure in mind (usually either at different times or by separate groups).