I.T. guys, what am I missing here?
 

So, at my workplace we have to change our log on passwords every 6 weeks.
Irritating, but I can see why.
It's always been at least 6 characters, a mix of upper & lower case and numbers, and not one we've used in the last 6 months.
OK, also cool.

But when we try to change it, if it's not accepted we just get a "new password does not comply with security requirements'. So we try again. The other day after 5 attempts I had got to 13 characters including 5 numbers and 3 capitals, 2 special characters, still not accepted. No names, no relation to the industry, no "PA55WORD" type attempts.

So I ring IT to ask just what ARE the new security requirements?
"We can't tell you, because...security, but we can just reset it for you if you want"
"Great, so what's it to be?"

"Hello1"



Err,.......OK thanks. :confused:

Dreaming up new passwords is always a problem for me. Ive started copying characters off of ads and things that pop up on screen. To remember I take a screen shot of it. Using the post above as an example, I’d have a password, “1000GUESSES/sec”

When I was in IT, we had key fobs with dynamic passwords for a lot of stuff. The processing power to crunch through password "guessing" has surpasaed the old daze imo...

I use long sentences.....the longer the better to increase the difficulty, easy to remember, and with some special characters thrown in....

KCisahugebiglydummywithno$butstillnumber9

Never written down a password in my life....could use the serial # from my Schwinn decades ago too ...way too short ;)

Find a password that works and add two digits at the end. Increment the digits monthly.

Or use your initials (uppercase) '@' then a lower case word, plus two digits. That usually works and easy to remember.

Not nearly long enough...seriously.

It's just 1s and 0s at the end of the day....todays processing power overpowers shorter passwords...8 characters isn't long enough anymore...jmo.

"We can't tell you, because...security"

That's stupid BS. Someone at your company is a moron.

^Absolutely true^
^Absolutely true^

Make 'em longer guys....I'm just sayin' ;)

8 characters isn't long enough....

Most systems require 3 characters to change for each new password timeout period. Incrementing the numbers won't be accepted.

yea, I love it.
I go through the same crap.

I have ones that start 30 days out telling me my password will expire. thing is, if I DONT change it it does not come up with the change password screen, it locks me out,

then I have ones that when I DO change my password it logs me out for 15min after changing it.

I have a list of around 40 passwords I have to keep track of,

now they gave us Iphones that have the thumb print to get into it with, I STILL have a password and I just had to change THAT one. :mad::mad::mad::mad:
most of the time I have to use the password to get into it instead of my print.
then I have a password for software updates on it and I don't remember it so I cant get rid of the annoying software update notification.

I have 2 passwords just to turn on my computer plus an ID badge that goes in it.


years ago we had a program that you had to enter a password to generate a password

Not enough to really be secure, but enough to satisfy the avg corp IT Sec person.

Just have to make sure that if you use a phrase/sentence, it's not a line from your favorite song/story/poem or even a random line of text from any book or written text because if it's out there written down somewhere, they can and will try it.

Unfortunately, there are still some places that have length limits.

I haven't had that experience

Does your IT reside in Mumbai?

I'll bet the special characters are what's hanging you up. It's not just any special character- only some are acceptable.

Also, if the password is too complex and too many changes required, that means people will start using post-it's on the computer. Remind em of that.

Come up with a pass sentence or saying, and then abbreviate it.

"The formula to convert temperatures is 5f minus 9c is equal to 160"

TheFtcTemps:5f-9c=160

The problem with "correct Horse Battery staple" above is most places won't let you. They ask for some all caps, some number, $#^*% characters, and will also we wise to number substitution at the end... (you cannot increment your password at my last 2 jobs, it knows and tells you it's too similar)

Now they also want 14 character and monthly changes... Do you know how people remember those? That's right, written on a post it note on their desk, because that's too stupidly hard.

CTO finally wised up and we're going to dual factor now with a phone or token.

PS: I work a lot with security - well technically security gives me a lot of work, because they are the seagulls of IT : they come, crap all over you, and fly away leaving you with the work ;-)

Bottom line is every major organization has been breached, your data, research, ID are already in the wrong hands, most of what's being done now (network access control, intrusion detection, Antivirus, firewall, etc..) is to satisfy the legalities and not get sued... And yet we keep buying smart devices all around our homes and doing everything online, and I bet our nuclear power plants computers have web access too...

I'll repost this, and replace voting software with ANY software... even that of your smart fridge.

http://forums.pelicanparts.com/uploa...1551800823.png

I see so many software packages wanting to go back to running everything from "the cloud" and I resist. I have a good internet provider, but I have gone a day with no internet. I can't imagine no way to get to my data or programs.

I store all my data, all of it, locally. I don't trust any on line "cloud" at all. Apple has been hacked, Microsoft, the FBI and CIA have been hacked, banks are hacked. I have to use a bank to keep the IRS happy, and it is FDIC insured, and we have paper records so my money is safe. (I hope)

Our company is a microscopic tiny part of the world. We don't think of ourselves as hacker proof, but we are smart enough to not fall for BS phishing or email scams.

I have been using computers since the days before viruses. I remember discussing viruses with a doctor friend and how they were going to be a fact of life in the near future. The terms anti-virus was a novel thing back then. Then the internet became a major part of every business. It has totally changed so many things. I have never had a virus, or trojan, and I plan to keep it that way.

Right, air gap it and no issues. Then you need functionality.

Every org should have a stated security policy. But, just use a phrase. IlovebuyingpartsFromPelican!

forgot to say
the character you start with or end with can be wrong.
been through the same thing where they don't tell us the rules, and whats worse is they have changed the rules and don't tell us. so like in the past the character was a CAP, now it has to be lower case

Just call every day your tech support and have them reset it.

We require 14 characters and we also require spaces and after a few tries we lock your account if you don't get it right. Do it bad again and it gets locked for a longer period of time, and so forth. For someone to use a brute force technique would take a really long time. Most guidelines are very out of date and you could go six months between password changes and be relatively safe. That also keeps people from writing them down so much.

What we don't allow is a pass phrase similar to the last one, so you couldn't do something like "horse staple porsche 911" then "horse staple E30 M3" and you certainly cannot just increment numbers tacked on the end.

You can use a password manager on your phone/PC for those other places.

NIST says non-expiring are safe if you use the cartoon example.