Skeptical of Computer Security Advice

[Fishstick]

Yes, but "don't write it down" is hard to enforce. Password strength and frequency of change are automatically enforced. "Don't write it down", not so much.

Writing it down isn't so bad. Just don't think you're super clever by hiding the post-it under your keyboard or in your drawer: keep it in your wallet, and your wallet on you.

 

[Dancing David]

Indeed. I was helping a client to recover from a virus outbreak recently. Despite using Microsoft Forefront, and having a design/implementation validated by Microsoft, the little bugger spread around their network faster than Surprised Little Kitten........
Note someone I'll take security advice from.

Oh oh that be bad, really?

I am sorry to read that, my school distrcit is switching to Forefront...doom...dooom.

 

[Dancing David]

The main one I would tell people, log off your machine when you are not at it, at work. Do not use 'remember my password', at work.

 

[stevea]

Writing it down isn't so bad. Just don't think you're super clever by hiding the post-it under your keyboard or in your drawer: keep it in your wallet, and your wallet on you.

Of course it's terrible. When you lose your wallet you've lost your passwd and and cards used for a two-factor.

I don't have anything more than anecdote to back this opinion up but my opinion is that requirements for frequent password changes and password complexity simply force people to write their passwords down.

Quite true, but the other problem is that ppl generally can't select hard passwds and then remember them. It leads to really bad approaches like making all passwds the same or minor variants. I spoke w/ two different ppl, unrelated, who didn't know each other and both said that for the forced password changes at work they used the month plus digits, April12345, May12345 ...

If it is for things that might involve money (a site that I order stuff from) or accesses my reward points, is is the same as a above plus a couple of characters derived from the name of the site.

Which means you use low-entropy low-quality passwords.

If it is for my on-line banking, or my e-mail or my hosting co, or otherwise involves real money, it is randomly selected from the entire set of 255 ASCII characters and is at least 8 characters long.

There are 128 ASCII characters of those 33 are not printable. I somehow suspect you don't realize how hard it is to memorize 8 character RANDOM sequences for each account.

f I am a client site with an IT policy that forces me to change the pw on a regular basis, I work through the larger words in a corporate document I have pinned to my workstation.

Common words are not acceptable passwords - not even close.

 

[KoihimeNakamura]

I.. tend to use pattern passwords of no less than 12 letters unless I'm limited by space (And a few sites still have 6-8 only... for some ***** reason.)

 

[malbui]

I tend to use 8 or 10 ten letter strings made up of the initial letters of the words from my favourite lines in books or songs, with the odd number thrown in. Pretty easy to remember. And then if someone did find my note that my netbook is my Rammstein machine, for example, it wouldn't help them much.

 

[Gord_in_Toronto]

<snip>

Which means you use low-entropy low-quality passwords.

Yes, I do and I explained why I accept this.

There are 128 ASCII characters of those 33 are not printable. I somehow suspect you don't realize how hard it is to memorize 8 character RANDOM sequences for each account.

Hyperbole my dear friend. Hyperbole. WRT "suspect you don't realize how hard it is to memorize 8 character RANDOM sequences for each account"? Why would you suspect that? I've just told you I did it. I write them down somewhere safe and let Mozilla's password manager (and equivalents) do the managing. If I need to find one, I know where to look.

Common words are not acceptable passwords - not even close.

So what? Some is going to hack my e-mail account inside the corporate firewall? I don't loose much sleep over that possibility.

 

[Robo Sapien]

There are 3rd party apps that let you manage lots of varied and cryptic passwords, if you feel like those help you.

 

[Aepervius]

The problem of changing the password on regular basis is the following : people switch it to easily recognizable and naturally easily guessable password, *OR*, put it on a post-it.

Time and time again it has been demonstrated that having a single strong password for a long time (lower+uppercase+digits+punctuations) is much better than forcing a password change every 6 week or 3 months. Read what R. Staleman has to say on the subject.

 

[Fishstick]

Of course it's terrible. When you lose your wallet you've lost your passwd and and cards used for a two-factor.

.

I find that people are less apt to lose their wallet (and their ID, traincards, license, social security, etc) than a random post-it stuck to their laptop or below their keyboard. I'd prefer users used a 8+ character complex password that's on a note inside their wallet which is on them, than force a password change every 3 months which ends up in users creating variations of ".Password1!"

 

[Leif Roar]

It's worth considering that there are different types of passwords, and these have different types of security considerations.

There are personal passwords, which should be known only to one person, such as the password to your user account. There's no point in changing these often: if someone is shoulder-browsing or logging keystrokes, it's not going to matter if the password is three years old or three days old. Regular changes might actually serve to lessen the security by having people use less secure passwords or writing them down. Frequent demands for password-changes also makes some forms of phising and social engineering attacks easier.

Then there are passwords that need to be shared among a group -- the system administrator password on a large network, the BIOS password used on the company's laptops, the password to the support account on a supplier's web-page. These passwords need to change frequently, since it's hard to always perfectly manage and control who is given the password, and because people moves from the "need to know" group to the "don't need to know" group (and sometimes into the "really, really shouldn't know" group.)

Then there are passwords which are used by computer systems. They're a bit like the mad cousin nobody likes to talk about. For systems to work and do anything useful, they often need to access to other systems -- databases, back-end systems, file-servers, third-party services, the works -- and often the only practical way is to put the required passwords into the system's configuration files. If you're lucky, they'll be obfuscated, but nine times out of the they're stored in plaintext (and obfuscation isn't hard security either). As managing configurations of multiple systems quickly turn into a non-trivial task, you end up with passwords that are potential known to many people: everyone's who's responsible for the given system, system-administrators of the computers the system run on, backup administrators, anyone with physical access to the computer, anyone with physical access to the backup media, anyone with physical access to the old storage media -- and that's assuming the security system works properly, which they rarely do 100%. (For one thing, once there are problems with getting a system to work, configuration files tend to fly back and forth in e-mails.) Further, once a password is put into a configuration file anywhere, it becomes a right bitch to change, since it means changing all the places it is used. So people don't change them.