[Discuss] A Little OT: The Password Post-It

Drew Van Zandt drew.vanzandt at gmail.com
Wed Apr 18 12:35:43 EDT 2012


Password complexity requirements are:
1) Poorly implemented
2) Closer to security theater than actual security

Frequent password changes are even more likely to lead to either wasted
time for IT and users ("I forgot my new password...again") or post-it
passwords.

I don't think either of these messages will ever make it to IT management,
though.

I think if I were designing the perfect password requirements, it would
look something like:
* IT has a password-crack server with a good dictionary, which includes
names, sports teams, etc., all the trimmings a good password crack attempt
needs.
* No stupid password rules, but the server rolls through and tries to crack
passwords, with a focus on new/recently changed passwords.  If it finds it,
user has to change their password.


*
Drew Van Zandt
Artisan's Asylum Craft Lead, Electronics & Robotics
Cam # US2010035593 (M:Liam Hopkins R: Bastian Rotgeld)
Domain Coordinator, MA-003-D.  Masquerade aVST
*



On Wed, Apr 18, 2012 at 11:45 AM, Chris O'Connell <omegahalo at gmail.com>wrote:

> Greetings All,
>
> I've noticed that some of my users have been writing their passwords on
> post-its and leaving them all over the place.  Our office has a Written
> Information Security Policy that each user signed, stating that passwords
> are not to be written down and stored in plain site.  Management at my
> company isn't interested in disciplining anyone regarding these violations.
>
> As some of my users are in their late 70s and late 80s, I kind of
> understand the need to write passwords down.  However, some of my other
> users are just plain dumb and complain all day about how many passwords
> they have to remember and how hard their lives are as a result.  One
> particularly whiny person can't remember the four digit alarm code that she
> uses every day to get into our building.  As a result she has written it on
> the back of her business card and leaves it in her cell phone case.
>
> I've come to realize that making things "more secure" is actually making
> the our information systems less secure.  Further, adding levels of
> security is making the computer using experience at my organization more
> challenging for the already technically challenged.  For example, enabling
> password complexity requirements just makes things harder for people to
> remember.  The result is more passwords written on post-its.
>
> I think we, as IT professionals, have to acknowledge that not all of our
> users are as savvy we are.  Not everyone is going to be capable of keeping
> their passwords straight.
>
> Perhaps the solution is to make things easier for our end users.  I'm
> thinking now that I should install a single-sign-on software on all
> workstations.  Once a user logs in they will never have to enter a password
> again (after the initial setup at least).  On it's face, this may seem like
> a terrible solution.  I'm thinking though that this might actually make
> things more secure as users will not be confused by multiple passwords.
>  Hopefully, this will result in less post-it-passwords.
>
> I can then thoroughly secure the workstations by deploying Bitlocker and
> forcing the screens to lock after a certain period of inactivity.  By
> securing the workstation I'm not noticeably inconveniencing users.  This is
> a bit of give-and take, but a possible win-win.
>
> I'm wondering if anyone else has had similar troubles in the past.  Any
> creative solutions?  I've recommended terminating at least on person here,
> but I think my boss thought I was kidding ;-)
>
> --
> Chris O'Connell
> http://outlookoutbox.blogspot.com
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



More information about the Discuss mailing list