Long Passwords = Less Security

How crappy is your IT?

Published on December 28, 2006 By greywar In Personal Computing

For the folks who don't know : I have moved job sectors and am back in government services again. Specifically I am maintaining the TLA stacks for the Army's NIPR (just read that as internet) connected istallations. As such I have many accounts (somewhere around 100) on many different computer systems. The Army has recently moved to a new password system that requires a 15 character password with 2 uppercase letters, 2 lower case letters, 2 numbers, and 2 special characters included. Further more most of these accounts require the passwords to be auto-generated and do not allow the user to change or set their own passwords. End result? 100 15 character passwords that are written down in the top drawer of my (and every other employee here) desk.

Many of my co-workers actually maintain digital copies of these passwords in Excel as well and even email this back to their non-work email accounts for occasional telecommutes via VPN tunnel. In short the Army has garnered far more security vulnerabilities with this policy than it closed. Previously most accounts followed an 8 character rule and allowed users to set their own passwords. This usually meant that most accounts for one user used the same or similar passwords. If you got that one password you could do a lot of damage but the likelihood of compromise was greatly decreased since most users can remember one 8 character password.

Now every cleaning-lady we have in here after hours automatically has access to thousands of individual accounts on critical DOD hardware. Brilliant.

Comments (Page 1)

Bichur

on Dec 28, 2006

Military Intelligence

n. - oxymoron -- (conjoining contradictory terms (as in `deafening silence'))

(I did a half-life)

greywar

on Dec 28, 2006

Good lord that the joke never gets old... wait thats a lie, it was old for me a long long time ago....

crimson

on Dec 28, 2006

We had 4 separate systems that changed passwords quarterly, each one month after the other. Uppercase, lowercase, 1 numeral, and 1 special character had to be used. If you used the wrong password more than 3 times in the same day, it would have to be reset by an outside IT group. It was awful, but we were allowed to make a choice. But that choice had to fall under certain patterns. You could never reuse the same word, the same number, the same special character in the same pattern again. You couldn't use the same pattern on the 4 separate systems.

It made me dizzy just writing this out, but the reality was, after months of it, you would never have to write down your passwords. It would just come automatically. Because you used your passwords on an almost daily basis, you never had to actually think about the password, your fingers would just 'remember'. The only time it became a problem is if you went on holidays. Then you were screwed.

greywar

on Dec 28, 2006

It made me dizzy just writing this out, but the reality was, after months of it, you would never have to write down your passwords. It would just come automatically. Because you used your passwords on an almost daily basis, you never had to actually think about the password, your fingers would just 'remember'. The only time it became a problem is if you went on holidays.

That is true of the one password that I uses hundreds of times a day but totally untrue of the ones that don't see daily use. Once you go beyond 2 or 3 passwords even daily use won't help your fingers anymore especially when you dont get to choose the passwords at all.

Fuzzy Logic

on Dec 28, 2006

Long passwords can be good - if it is a phrase or saying you can remember. The size can be limitless and it never needs to be written down.

Some password policies are just plain stupid and asking for security breaches. Passwords which are impossible to remember are the complete opposite of what is required.

We don't have a policy as such, but the folks here are too predictable. I can guess most employees' passwords in just a few attempts...

lifehappens

on Dec 28, 2006

I agree with you. I have multiple emails, and various accounts that seem to have all decided to upgrade the security. The upper/lower/number/special characters are a pain in the ass. It's not too bad, but only becuase I have a formula that I use to remember the passwords...

anything that is randomly generated.....ends up getting written down. sigh.

Jafo

on Dec 28, 2006

Sounds like it's time for finger-print readers....

seldomseen

on Dec 28, 2006

retina-scanners? Saw 'em at COMDEX in Las Vegas a few yrs. ago and thought they were pretty cool...

MasonM

on Dec 28, 2006

Biometrics would solve the problem and avoid a bunch of written passwords.

They have the right idea as far as password construction goes, I use a similar formula for my critical passwords, but I still create a password pattern that is easy for me to remember without having to write them down.

Sturgee

on Dec 28, 2006

I'm lucky in that I'm only using 4 systems, and 3 of the 4 have the same user ID. Not sure why they decided to change it for the 4th, but alas, so sayeth the government lords. I'm able to have the same password, that I choose, for 3 of the 4, so that isn't too bad either.

But, I ALSO have to log into about 10 different online databases, analysis tools, and community pages. And each of these, because they are created/maintained by some different entity, have different password requirements. Like you, the 2 or 3 that I use daily are no big problem, but the others that I only use occassionally, are a pain in the ass.

So, like you, I have a little cheat sheet with all of my passwords on it. I hate having to do it, but after I got locked out of a couple of the tools, and had to call "somebody" to get it unf*^ked, I have resorted to weak security.

Daiwa

on Dec 29, 2006

I wonder if having a "multiple-password" system would be any more secure. It would certainly be more operator-friendly. I use and can remember 3-4 8-character passwords fairly easily - I usually base them on something memorable I've read or some bit of remote personal history nobody else would be likely to know or guess, often using differing sequences of a set of 4-character blocks. It would be a little bit of a pain, but having to input 2 or 3 different passwords in succession would make the likelihood of compromise pretty low, I would think, since they wouldn't need to be written down anywhere. I'd think you could use the same set of passwords for multiple systems fairly securely if that were the case.

Then again, fingerprint or iris-scan technology is getting to be pretty inexpensive. But, I've always wondered how a system is authorized to recognize the "first" one - the "keys to the keys" problem.

My brain is starting to hurt so I'll quit now.

Gideon MacLeish

on Dec 29, 2006

I've never understood the mentality that auto generated passwords are more secure. While certain people have suggested keeping PW's in a folder with an inconspicuous name, if they're written down anywhere, they can be easily compromised.

Bottom line: if someone really, REALLY wants into your somputer, they're getting in. The only way to make the Internet more secure would be to make it less convenient.

Dr Guy

on Dec 29, 2006

We have the same thing at my work (not hundreds thankfully, but about a dozen). We are forced to change them at 30, 45, 60 and 90 days! And none talk to the others, so yes, I have to keep them written down! (just not taped to the bottom of my KB). They think they are being so secure! No, just jacking off and smiling that they are APA compliant! In point of fact, they are far less secure than if they did not have an expiration policy!

SirSmiley

on Dec 29, 2006

This so reminds me of the "bosco" thing from Seinfeld.

I really wonder why in a DOD facility you're only using passwords alone and not key files or something else? I'd like to believe that it's because the data at your disposal isn't deemed as highly sensitive but, I'm not that naive.

greywar

on Dec 29, 2006

really wonder why in a DOD facility you're only using passwords alone and not key files or something else? I'd like to believe that it's because the data at your disposal isn't deemed as highly sensitive but, I'm not that naive.

Actually to access the source machine you need to have a CAC, password, and a physically separate RSA key generator. Not so for many of the remote machines though.

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!