Password Stupidity

Nov. 22nd, 2005 06:09 pm
billroper: (Default)
[personal profile] billroper
Apparently, the latest upgrade to the Oracle system here at work that I need to use to enter my expenses has "improved" the integrity of our passwords. The password may not contain a common word. The password may not contain any double letters. The password must contain at least one number, but cannot consist of all numbers.

In short, the password must be taped to your monitor, because there is no prospect that you will ever remember it.
Tags:
Flat | Top-Level Comments Only

Date: 2005-11-23 01:33 am (UTC)
ext_51522: (Default)
From: [identity profile] greenmansgrove.livejournal.com
I always tell my clients to choose passwords that are at least 7 characters long, contain at least one captial letter, one lower case letter, and one number or special character.

I then go on to tell them to choose a phrase that they won't forget, like "There is nothing to fear but fear itself". From that, I take the first letter from each word (tintfbfi) and then do a couple of letter/number replacements, to get something like t1n2fbf! I also tell them to choose a letter to capitalize, and suggest (but don't generally insist) that it not be the first letter. (t1N2fbf!)

That way, while you're following all the rules of strong passwords, you've also got something that's relatively easy to remember in the first few days because of the mnemonic. It's still more awkward than a password like (light), but it's a lot stronger, too. After the first few days of typing it in, muscle memory tends to take over anyway. I have clients with passwords like that that can't tell me what their password is, but they can type it quickly and easily. Which is the way is SHOULD be. 8

Date: 2005-11-23 04:10 am (UTC)
billroper: (Default)
From: [personal profile] billroper
The problem is that I log into the Oracle system only when I need to submit an expense report. This is so infrequent that I am guaranteed to forget the password unless it's the same as one of the ones that I regularly use.

It turned out that my previous main password would pass the silly new rules, although the current one won't.

Date: 2005-11-23 03:27 am (UTC)
From: [identity profile] pheltzer.livejournal.com
We have similar rules at our company... but we have to change passwords every 30-90 days depening on the system. I have about 4 "secure" passwords that I cycle through, but some of the systems require that you can't reuse a password that was one of your last 5 passwords. which means I need to have 6 passwords, and I can never remember which one I'm on. Oh and of course none of the passwords expire at the same time so at any given point I'm probably using 3-4 of my passwords and trying to remember which goes with which system.

Single sign on is a double edged sword. It would make my life so much easier if I could sign in once and be good for everything I need access to... but if someone manages to hack one of my passwords then they have access to everything. It's a conundrum.

Date: 2005-11-23 04:14 am (UTC)
alicebentley: (Default)
From: [personal profile] alicebentley
I figured there was at last a use in this world for l33t.

Date: 2005-11-23 03:01 pm (UTC)
poltr1: (JJP Snapshot2)
From: [personal profile] poltr1
In short, the password must be taped to your monitor, because there is no prospect that you will ever remember it.

Which, as you and I know, defeats the purpose of so-called "strong" passwords.

How many pointy-haired bosses out there still put their passwords in plain sight, or hide them under the keyboard?

One of the bank systems I was on at my last computer job had even more stringent rules: Not only could the password use double letters, it wouldn't allow letters repeated in the password! (In other words, "babylon5" was out because it repeated the "b".) And the current and subsequent passwords could not repeat any letters in the same position.
(Example" "baldric1" could not be followed by "milkwe3d" because the "l" in the third position was repeated in the two passwords.

The reason for all this security? So that it will thwart the black-hat crackers out there using password-cracking programs with large dictionaries.

P.S. I write mine down on a small Post-It(tm) note and stick it in my wallet.

Date: 2005-11-23 03:58 pm (UTC)
From: [identity profile] tigertoy.livejournal.com
It's hard to do anything but roll my eyes.

I am fortunate in that when I've bumped into an asinine password policy, it's always been in a place where I either had root privileges or knew someone who did, and was able to use them to put in place an acceptable-to-me, memorable password.

If it helps...

Date: 2005-11-24 04:42 am (UTC)
From: (Anonymous)
...I cycle through about 10 words, which are (originally) in other languages (I have to leave out accent marks, and so forth). I then break the word into two "syllables," and then type in the number, hold shift, and type the number again (thus getting the special character). The only thing I don't tend to do is use caps.

For example (and I've never used this one) jet6^aime

Happy Thanksgiving.

Re: If it helps...

Date: 2005-11-24 05:04 am (UTC)
billroper: (Default)
From: [personal profile] billroper
Sadly, that password would fail because it contains the common word "jet".

Date: 2005-11-27 01:51 am (UTC)
From: [identity profile] jalapenoman.livejournal.com
It helps that I am surrounded by placenames at work.(Dispatcher, go figure) Get a map, and do a number letter subsitution. Someone trying to guess your password won't be able to pick it out, but odds are, the map will trigger your password name.......
Flat | Top-Level Comments Only

Profile

billroper: (Default)
billroper
Filker.com

February 2026

S M T W T F S
1 2 3 4 5 6 7
8 9 10 11 12 1314
15161718192021
22232425262728

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Feb. 14th, 2026 07:43 pm
Powered by Dreamwidth Studios