Too many password changes

**minestrone** · 26 March 2009, 14:58

Last IB I was at I had a passwords.txt file on my desktop because you needed to know about 20 passwords for the multitude of crappy systems they had.

My boss nearly had a heart attack when he seen it.

**DimPrawn** · 26 March 2009, 14:58

Get your people to use one of these.

They are very cheap.

http://en.wikipedia.org/wiki/Digipass

Then a pin number does not need to be changed very often, as you need a pin and a code from the keyfob to login.

**Pogle** · 26 March 2009, 15:02

Originally posted by Mich the Tester View Post

Most security threats are internal and not from hackers; same as with shops, where most theft is actually committed by staff.

Is that really true?

**Sysman** · 26 March 2009, 15:07

The best solution I've seen was a smart card plus card reader, which could remember passwords by application. It also invoked a password protected screen saver when you took it out of the reader. Neat, though I've no idea how much it cost.

**Mich the Tester** · 26 March 2009, 15:09

Originally posted by Pogle View Post

Is that really true?

Yep. It's the nightmare of shopkeepers; the bigger chains can afford counter-measures, screening and so on, but small shopkeepers can't afford all that and unfortunately lose quite a lot of stock to unreliable staff.

Someone who calls helpdesk for a new password will often be given the standard 'new password of the month', which is often something like 'Welcome1' or 'March09'; if someone steals a letter from your bin and gets into your office on an excuse like a job application or a sales meeting, he might get 5 minutes to go and sit behind an empty workstation; that's all it takes for him to block the existing account with 3 login attempts, then call helpdesk with your name and address to get a new login and password and happily steal company secrets or even money; that's how industrial espionage works; much easier than we may think.

**rsingh** · 26 March 2009, 15:41

At my previous role at an IB, my login was not set up on my first day. My manager kindly allowed me to use his login until it was sorted. His password was Password138. He had been there for a while....

**Sysman** · 26 March 2009, 15:44

Originally posted by Mich the Tester View Post

Someone who calls helpdesk for a new password will often be given the standard 'new password of the month', which is often something like 'Welcome1' or 'March09'; ...

At one place they asked for proper personal details which was better.

But it didn't matter which help desk jockey you got; if you were English, they'd reset your password to "London".

Then there was the large computer manufacturer. When you enabled an account for dial in diagnosis, they'd always set the password to the day of the week when they were done.

**TykeMerc** · 26 March 2009, 16:24

Originally posted by original PM View Post

I would have thought that if anyone seriously wanted to hack into the servers they would find a better way than nicking someones password.

Or am I just naive?

In all honesty yes, as soon as you know their username format it's very easy to get into senior managers accounts with a small amount of research.

When it comes to incremental passwords and people using names of family and pets as password origins those are a fact of human nature.

There's no such thing as a secure password system, it's a matter of limiting the possible damage caused by an internal attack and making external attacks as tricky as possible.

**darmstadt** · 26 March 2009, 18:09

Originally posted by Mich the Tester View Post

If you make people change their password every couple of weeks, doesn’t that lead to a security problem?

They’re likely to choose the name of their partner/home village/pet/themselves plus a number, e.g.
Pete1
Pete2
Pete3
and so on

If they are forced to bring some variety into it, i.e. not using words they’ve used before, they’re likely to write their password down, because they have to remember passwords for PC’s at home and work, passwords for apps, codes for stupid time reporting systems (that's another rant I've done earliler), pin numbers for their bank cards etc. The act of writing down the password is in itself another security risk.

I can understand the need to change passwords from time to time, but surely once every two weeks is overdoing it and actually lessening security?

If your security system allows you to create passwords like the above then it is at fault. Once your password has run out you should not be allowed to increment it nor use the same words in the new one. The last company I was at, the passwords ran out every 90 days and you had to create a new one which was fine by me except I had problems of thinking up something easy for me to remember using 3 letters, 2 numbers then 3 letters. Write them down but not so that its easy for someone to know what there for. I used to write them randomly in my notepad. Suggest reading some of Bruce Schneier's comments on passwords, very interesting and illuminating.

As an aside, some years ago I worked for a software company where I would have to visit customers and install/upgrade software. The software was delivered with a default userid and password which after installation should be changed, particularly as it was an administrative user. The amount of companies I visited that hadn't performed this simple task was unbelievable. Even now the software that I have been installing all over the world and I use a default password, companies have not changed and this is Unix/Linux systems where root access is required, some are very big companies, a lot are software houses and I know all their passwords. How much is that worth to a nefarious person?

**NickFitz** · 27 March 2009, 01:33

The last time I was a permie (a safe haven towards the end of the dotcom slump) I was asked by my boss to call somebody at a client - "Apparently she's in charge of the web site and knows the FTP password, tell her Fred Bloggs wants us to upload some jpegs of the new design so he can have a look at them."

So I phoned up this lass:

Me: "Hi, I'm from Such-and-Such Co; I need the FTP username and password for your website so I can upload some files."

Her: "Well, I really shouldn't tell you that - who are you again?"

Me: "I'm from Such-and-Such Co, and Fred Bloggs really wants to look at these files and asked us to upload them to the website. He said you'd give us the username and password. If you want to call him and check it's OK, that's fine - you can call me back."

Her: "Oh, Mr Bloggs asked for it... well I suppose that's all right then. The username is 'sonia' and the password is... oh, you'll laugh at me when I tell you... but it's 'password'."

Now, I wasn't aware that Mr Bloggs was actually the MD of this big international company; but the fact that merely suggesting that she check with him was enough to make her cough the (lamentably poor) username and password, rather than disturb him, was astonishing. It was only after I'd hung up that it occurred to me that, although my request was legitimate, I'd actually carried out a bit of social engineering without even meaning to

And yes... I've changed the username up there, but the password was, indeed, "password"

Too many password changes

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Too many password changes

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Tag Cloud