Dear Users... (A thread for Sysadmin, Technical Support, and Help Desk people)

Status
Not open for further replies.
erlando said:
I like long passwords, preferrably the CorrectHorseBatteryStaple kind. At my current job they have a password management system that will ask you to change your password ever so often. This system limits the password to 8 letters, 2 characters and no punctuation... :rolleyes:

Funny thing is, it is possible to "circumvent" this system by changing your password using the ordinary Windows functionality. So I can have my 24 character password anyway.

At least IT doesn't ask for passwords. Not that I would tell them.
Click to expand...

That's insane. Especially because in many cases an 8 character password is less secure than 7 characters, if NTLM is involved (and if they limit it, that suggests to me legacy software somewhere, which would make me suspect NTLM is still in use). It has to do with the way the hashes are broken up; basically it's 7 character chucks. That means an 8-char password has one char (the 8th) that only needs 26 attempts (36 with digits) to brute force. And knowing the last character can give a clue to the other 7.
 
I've never understood any modern software having a maximum complexity requirement on passwords.
 
Hellbound said:
That's insane. Especially because in many cases an 8 character password is less secure than 7 characters, if NTLM is involved (and if they limit it, that suggests to me legacy software somewhere, which would make me suspect NTLM is still in use). It has to do with the way the hashes are broken up; basically it's 7 character chucks. That means an 8-char password has one char (the 8th) that only needs 26 attempts (36 with digits) to brute force. And knowing the last character can give a clue to the other 7.
Click to expand...

Possible links an IBM z/Series box? I understand RACF still has a 8-char password field.
 
arthwollipot said:
The reason Google's results are better than DuckDuckGo's is that Google knows you and knows what you're looking for.
Click to expand...
I get better results from Google even when I'm using incognito mode. I'm pretty sure that a lot of Google's effectiveness is because they have more data and are better at mining it, in general. Even at the very beginning, before Chrome existed, before they knew much of anything about anyone, they were still a quantum leap forward in Internet search technology. The "I'm Feeling Lucky" button was a powerful demonstration of Google's baseline superiority to all other search engines.
 
catsmate said:
I worked on one site where a three month job was over before I got an access card. And the person going on maternity leave never missed hers.
Click to expand...

I had an experience like that, I was at a temp contract for about eight months and had to queue up at reception in the August heat in motorbike gear. One of my previous jobs was at a company that later went bust and this company wouldn't give me a pass without references from every employer in the last ten years.
 
theprestige said:
I get better results from Google even when I'm using incognito mode. I'm pretty sure that a lot of Google's effectiveness is because they have more data and are better at mining it, in general. Even at the very beginning, before Chrome existed, before they knew much of anything about anyone, they were still a quantum leap forward in Internet search technology. The "I'm Feeling Lucky" button was a powerful demonstration of Google's baseline superiority to all other search engines.
Click to expand...
Even using incognito mode, Google uses about twenty different parameters to tailor your search results. Without incognito mode, it's more like forty. If you're logged on, it's about a hundred or so.
 
Wudang said:
Possible links an IBM z/Series box? I understand RACF still has a 8-char password field.
Click to expand...

Nope. No such thing. It's a Windows-shop. That's why I can get away with using the ordinary Windows method for changing my password.

When I was onboarding I had to type my password on a keyboard in operations. While he didn't peek at my password he did comment on the length of my password. Something along the lines of "Holy crap that's a long password".

Yes. Yes it is. As an operations guy you should appreciate that.
 
Well today I learned that because of the latest reorg I get another new boss.

My fourth in as many years.

It's annoying because 1) I hate training new bosses and 2) I really really like this one I have right now.

:(

Bleah.
 
quadraginta said:
Yup.

Do you see any serious flaws in the recommendations?
Click to expand...
Nope, none. These recommendations should be adopted everywhere, especially here where I work.

Actually I think biometric ID would be better than any kind of password, but if you've got to have passwords, do it right.
 
arthwollipot said:
I don't know about you, but I really love being talked over while I'm trying to explain something.
Click to expand...

I hung up on one crisis call. It wasn't my then current line of work but an area I'm very strong in so senior managers asked me to join the call. Every time I started explaining how to fix it someone would talk over me "This is a big issue for us...". I recall saying "Oh for god's sake" and hanging up. A manager recalls me saying something stronger. I dialled back in after a minute and said something about the mute function on my new phone apparently not working and this time was allowed to tell them how to solve the urgent problem that was somehow less urgent than each person's need to announce their presence.
 
arthwollipot said:
Nope, none. These recommendations should be adopted everywhere, especially here where I work.

Actually I think biometric ID would be better than any kind of password, but if you've got to have passwords, do it right.
Click to expand...

No! This is a lie that smart phone and laptop makers have been pushing on the public for years now.

Biometrics should be used only for authentication, that is, showing you are who you claim you are. It's the "user name" part of a user name/password pair. They should not be used for authorization, that is, granting you access to systems.

Why? You have only one fingerprint or face. If people who aren't you figure out how to bypass the biometrics, they have complete access to the system and you can't lock them out. ("Sorry, George, the Cardassians have figured out how to bypass the retina scan and can now access Starfleet's weapons systems. We'll either have to revoke your access completely or gouge your eyes out.")

A better approach is to use biometrics for authentication and a secure token for authorization. That way if the authentication part is compromised, the authorization token can be revoked and re-issued.
 
Last edited:
Status
Not open for further replies.

Back
Top Bottom