I.T. guys, what am I missing here?

[aap1966]

So, at my workplace we have to change our log on passwords every 6 weeks.
Irritating, but I can see why.
It's always been at least 6 characters, a mix of upper & lower case and numbers, and not one we've used in the last 6 months.
OK, also cool.

But when we try to change it, if it's not accepted we just get a "new password does not comply with security requirements'. So we try again. The other day after 5 attempts I had got to 13 characters including 5 numbers and 3 capitals, 2 special characters, still not accepted. No names, no relation to the industry, no "PA55WORD" type attempts.

So I ring IT to ask just what ARE the new security requirements?
"We can't tell you, because...security, but we can just reset it for you if you want"
"Great, so what's it to be?"

"Hello1"



Err,.......OK thanks.

[Tishabet]

[wdfifteen]

Dreaming up new passwords is always a problem for me. Ive started copying characters off of ads and things that pop up on screen. To remember I take a screen shot of it. Using the post above as an example, I’d have a password, “1000GUESSES/sec”

[KFC911]

When I was in IT, we had key fobs with dynamic passwords for a lot of stuff. The processing power to crunch through password "guessing" has surpasaed the old daze imo...

I use long sentences.....the longer the better to increase the difficulty, easy to remember, and with some special characters thrown in....

KCisahugebiglydummywithno$butstillnumber9

Never written down a password in my life....could use the serial # from my Schwinn decades ago too ...way too short

[1990C4S]

Find a password that works and add two digits at the end. Increment the digits monthly.

Or use your initials (uppercase) '@' then a lower case word, plus two digits. That usually works and easy to remember.

[KFC911]

Quote:

Originally Posted by 1990C4S

Find a password that works and add two digits at the end. Increment the digits monthly.

Or use your initials (uppercase) '@' then a lower case word, plus two digits. That usually works and easy to remember.

Not nearly long enough...seriously.

It's just 1s and 0s at the end of the day....todays processing power overpowers shorter passwords...8 characters isn't long enough anymore...jmo.

[masraum]

"We can't tell you, because...security"

That's stupid BS. Someone at your company is a moron.

[masraum]

Quote:

Originally Posted by Tishabet

^Absolutely true^

Quote:

Originally Posted by 1990C4S

Find a password that works and add two digits at the end. Increment the digits monthly.

Or use your initials (uppercase) '@' then a lower case word, plus two digits. That usually works and easy to remember.

^Absolutely true^

[KFC911]

Make 'em longer guys....I'm just sayin'

8 characters isn't long enough....

[MBAtarga]

Quote:

Originally Posted by 1990C4S

Find a password that works and add two digits at the end. Increment the digits monthly.

Or use your initials (uppercase) '@' then a lower case word, plus two digits. That usually works and easy to remember.

Most systems require 3 characters to change for each new password timeout period. Incrementing the numbers won't be accepted.

[T77911S]

Quote:

Originally Posted by aap1966

So, at my workplace we have to change our log on passwords every 6 weeks.
Irritating, but I can see why.
It's always been at least 6 characters, a mix of upper & lower case and numbers, and not one we've used in the last 6 months.
OK, also cool.

But when we try to change it, if it's not accepted we just get a "new password does not comply with security requirements'. So we try again. The other day after 5 attempts I had got to 13 characters including 5 numbers and 3 capitals, 2 special characters, still not accepted. No names, no relation to the industry, no "PA55WORD" type attempts.

So I ring IT to ask just what ARE the new security requirements?
"We can't tell you, because...security, but we can just reset it for you if you want"
"Great, so what's it to be?"

"Hello1"



Err,.......OK thanks.

yea, I love it.
I go through the same crap.

I have ones that start 30 days out telling me my password will expire. thing is, if I DONT change it it does not come up with the change password screen, it locks me out,

then I have ones that when I DO change my password it logs me out for 15min after changing it.

I have a list of around 40 passwords I have to keep track of,

now they gave us Iphones that have the thumb print to get into it with, I STILL have a password and I just had to change THAT one.
most of the time I have to use the password to get into it instead of my print.
then I have a password for software updates on it and I don't remember it so I cant get rid of the annoying software update notification.

I have 2 passwords just to turn on my computer plus an ID badge that goes in it.


years ago we had a program that you had to enter a password to generate a password

[masraum]

Quote:

Originally Posted by KC911

Not nearly long enough...seriously.

It's just 1s and 0s at the end of the day....todays processing power overpowers shorter passwords...8 characters isn't long enough anymore...jmo.

Not enough to really be secure, but enough to satisfy the avg corp IT Sec person.

Just have to make sure that if you use a phrase/sentence, it's not a line from your favorite song/story/poem or even a random line of text from any book or written text because if it's out there written down somewhere, they can and will try it.

Quote:

Originally Posted by KC911

Make 'em longer guys....I'm just sayin'

8 characters isn't long enough....

Unfortunately, there are still some places that have length limits.

[masraum]

Quote:

Originally Posted by MBAtarga

Most systems require 3 characters to change for each new password timeout period. Incrementing the numbers won't be accepted.

I haven't had that experience

[stealthn]

Does your IT reside in Mumbai?

[RANDY P]

I'll bet the special characters are what's hanging you up. It's not just any special character- only some are acceptable.

Also, if the password is too complex and too many changes required, that means people will start using post-it's on the computer. Remind em of that.

[id10t]

Come up with a pass sentence or saying, and then abbreviate it.

"The formula to convert temperatures is 5f minus 9c is equal to 160"

TheFtcTemps:5f-9c=160

[Deschodt]

The problem with "correct Horse Battery staple" above is most places won't let you. They ask for some all caps, some number, $#^*% characters, and will also we wise to number substitution at the end... (you cannot increment your password at my last 2 jobs, it knows and tells you it's too similar)

Now they also want 14 character and monthly changes... Do you know how people remember those? That's right, written on a post it note on their desk, because that's too stupidly hard.

CTO finally wised up and we're going to dual factor now with a phone or token.

[Deschodt]

PS: I work a lot with security - well technically security gives me a lot of work, because they are the seagulls of IT : they come, crap all over you, and fly away leaving you with the work ;-)

Bottom line is every major organization has been breached, your data, research, ID are already in the wrong hands, most of what's being done now (network access control, intrusion detection, Antivirus, firewall, etc..) is to satisfy the legalities and not get sued... And yet we keep buying smart devices all around our homes and doing everything online, and I bet our nuclear power plants computers have web access too...

I'll repost this, and replace voting software with ANY software... even that of your smart fridge.

[GH85Carrera]

I see so many software packages wanting to go back to running everything from "the cloud" and I resist. I have a good internet provider, but I have gone a day with no internet. I can't imagine no way to get to my data or programs.

I store all my data, all of it, locally. I don't trust any on line "cloud" at all. Apple has been hacked, Microsoft, the FBI and CIA have been hacked, banks are hacked. I have to use a bank to keep the IRS happy, and it is FDIC insured, and we have paper records so my money is safe. (I hope)

Our company is a microscopic tiny part of the world. We don't think of ourselves as hacker proof, but we are smart enough to not fall for BS phishing or email scams.

I have been using computers since the days before viruses. I remember discussing viruses with a doctor friend and how they were going to be a fact of life in the near future. The terms anti-virus was a novel thing back then. Then the internet became a major part of every business. It has totally changed so many things. I have never had a virus, or trojan, and I plan to keep it that way.

[VincentVega]

Right, air gap it and no issues. Then you need functionality.

Every org should have a stated security policy. But, just use a phrase. IlovebuyingpartsFromPelican!