It's time to stop asking users for periodic password changes

I still would not use w3w for that, since their method isn’t open and their service might just crease to exist. Which would leave you in the pickle of not being able to retrieve your password

Good point - but offset by the fact that three words become instantly more memorable than a random set of cruft generated by the likes of Lastpass. I would only use w3w to manually create the password, not to access (or store) it via any interface. The only benefit (cf inventing my own three words for a pasword) is that if I do forget it, I just have to have also remembered or documented the location to retrieve it - but as you say, only if they are still in business.
Maybe I’Il just tear off another post-it, instead, and add to the others on the frame of my monitor! :wink:

The talking horse method works quite fine for memorising, I think. :wink:

Another good point. As long as one does not end up with a horse in an incorrect pattery stable.

3 Likes

Having contributed to a massive derail, I like to share some experience of my own.

I used to work at various research facilities, and also in some private companies. Password security is usually not on their list if they think about IT security. Even SAP stuff was just secured with a simple stable password.

Some other thing I came to know, however, is a special form of security theater. I know someone who works at an IT department of a certain employer, and I have seen other related employers. Let me write the book…

Chapter 1: one word to rule them all
From what I have seen and heard, there is one single password for most services in most agencies. Windows PC, local and remote servers for R, GIS, the git-service servers, time management system, travel management system, email, everything. If your PW gets comprised, you are fucked everywhere. Single exception is SAP. Which has its own password.

Five failed attempts lock you out. Of everything. Except SAP. First thing you notice is, e.g., the in!-house git sever does not accept your push. Next, you can’t write an email to IT support about this. You reach for your phone, can’t get through and in the meantime your PC went into screen lock and you can’t login again.

However, if someone has your PW, they theoretically can access everything (as long as they have penetrated the firewall).

Chapter 2: do not write it down, they said?
Both your PW for SAP and the system need to be changed regularly, need a certain length and other (usual) characteristics. That’s annoying, but manageable. Or so you thought. Because one rule is you can’t reuse old PWs, and apparently there is a system which limits permutations (I suppose some kind of distance measurement like Levenshtein’s).
Of course, this means people have a word file with their passwords, somewhere. Very few are tech savvy enough to have a password manager.
Talking about password managers…

Chapter 4: cloudy, with intermittent showers
Anything cloud is bad. No-one is allowed to use cloud services. Which means that password managers are not accessible from another device. So, of you are locked out of your accounts (including your Windows logon, of course) you can’t access your password manager. Or your word file.
Just BTW, this also means that GitHub is off limits, and the in-house git service server is unreachable from the outside. Same is true for Dropbox, AWS, Azure, doodel, anything on other people’s computer: you don’t use it, because they are considered a threat to security.
Which of course leads to the next chapter.

Chapter 4: the things you mail
Of course, if you can’t exchange files via services in the cloud, people mail you stuff. Yeah, there’s a antivirus software, and some server-side solutions as well. However, you get mailed all sorts of documents and code. From all over the world. Sometimes via people from other institutions you might have had no contact before, because they have been assigned to a project or task you might be involved with. It’s not unsolicited mail, right? It’s official. Oh, and you get mail and tons of files from sub-contactors, of course. You don’t know anything about their IT security (or you might, and it’s nearly non-existant).

Oh, did I mention all PCs run Windows 7?
You know what prevents all sorts of problems and attacks? Right you are.

Chapter 5: no administration rights.
Software is rolled out through a repository. Only approved software can be installed. This keeps everyone save, right?

As everyone knows, classical plays have either three or five acts. I don’t write plays. But from what I have seen, this theater is nothing like The Globe, and the play given is nothing like Macbeth. Maybe it should be a fable?
IDK. But I doubt I can learn anything from that besides that working with people who are very, very afraid of some IT security breach does not mean they take IT security serious enough to actually think about it in detail.

3 Likes

Maybe (most?) websites don’t do this anymore, but the problem with this is that some websites, instead of asking a challenge question, would give multiple choice, for example:

In which city were you born?
A. Boston
B. Lefthand paperback
C. Tuscaloosa
D. North Haverbrook

Then it’s pretty easy to guess.

I’ve found that they also do this where they want you to verify some part of your credit history, where one of the choices for previous address is something improbable, e.g. “14997 Macadamia Evergreen” and an intruder knows they can probably rule out that choice.

1 Like

Sadly I didn’t last long (3 months give or take a week) at my last sysadmin job. I imagine part of it was not being so nice to the customer when they would say things like ‘we have a password policy in our docs’ and when I am peeking at the password enforcement policies via GPO there are none and I say umm ‘but it isn’t being enforced’ and get a reply of ‘we have a policy on paper so we are good’ head in the sand crap contributed. If they get hacked at least I brought it up.

Anyway I left more because of oh yeah it is only 35 hours a week, oh yeah you have a 2 or 4 day furlough this month… every month.

4 Likes

One of the banks where I had an account used the multiple-choice method years ago but must have gotten better advice and changed. I prefer the ones that let you create both your own questions and answers.

3 Likes

Just FTR 2FA: bank contacted me. They are ceasing sending a 2FA code via SMS. Instead, you have to use one of two proprietary 2FA systems they provide. The two work with devices you have to purchase from the bank, one of them also allows a 2FA with a proprietary smartphone app (which I tried to register for, to no avail, in the past).

It’s 2019, for fucks sake.

Oh, and they changed from account number plus PIN as login to an ID plus password, or fingerprint via the proprietary app. (As said, which doesn’t work for me, for some reason).

I’m going to shut down this account. This is simply not worth my money.

2 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.