You hate them. I hate them. Everybody hates them.
Use three of the following four types of characters: upper case, lower case, certain, but not all (?), “special characters”, and a number.
You cannot use your last five passwords. Your last ten. Your last 20? Really? Really?!!!!!!!!!!!!!! I can’t even remember my past two. Grrrrrrrrrrr!
Change your password every 90 days. 60 days. 30 days? Ten days?!!! C’mon man! I only use some sites once a month and have to change the password when I do! Aaaargh!
Your password cannot contain any part of your login ID, first name or last name.
If you have any other ones, feel free to toss them up here as a comment.
IDs and passwords for the network at the office, our computer at home, database systems at the office, our phones, our voice mail, our social media accounts. Things we use everyday. Things we rarely use.
So what do we do? Either we have our device remember the password, which works well until the next time you have to reset it. Or we write it all down on a Post-It note on a Word document on our computer. These methods, even though we resort to them ourselves at times, drive us IT folks nuts. It contradicts everything we know about security.
You could opt for an internet-based password vault service, like Iron Stratus or LastPass, to securely hold the links to our web-based systems on a web site, but to get to that, you have to login to your computer or network and then login to the service. So if every system you have is web-based, you are down to two passwords with the same ludicrous rules. These services give you access to all your site, login IDs and passwords from any intern-connected device. You could buy a similar program for you computer.
The requirement for “secure” or “strong” passwords is understandable. I recently read an article that went something like this
If your password contains ten characters, it would take hackers just over perhaps for 19 years to try every possible combination of 10 characters if the hackers have enough computing power to mount a 100-billion-guesses-a-second effort to break the encryption.
This “brute force” method to obtain your password is one of many common attacks.
You can actually find lists of the most commonly used password and try those. Here’s a link (note: Some people apparently use offensive language for a password! This is most likely a result of some of the items that started this post.).
The “bad guys” also use phishing e-mails to get login credentials from folks. Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. In this scenario, thousands and thousands of e-mail messages are sent to unsuspecting folks out there. The e-mail asks that you send your user name and password to them to verify your identity. Some are so bold as to ask for your account numbers, SSN, DOB,…. It only takes one person to respond to one of these e-mails to make it worthwhile for the folks to continue the practice.
Many passwords, like Sarah Palin’s infamously hijacked Yahoo account are compromised using social engineering. It goes like this…If you can find out certain information about people, you can figure out their passwords. Most commonly used items as part of a password are pet’s names, child’s name, last four of phone number, last four of SSN, date of birth, birth year, house numbers from your address. I can hear you thinking, “That’s what I use.” The list goes on. So you find this stuff out from somebody’s social media file, on-line phone directories, public records,… and start trying combination after combination.
Recently we now have an added layer of security with the addition of “secret questions” that only you know the answer to. What was the last name of your first grade teacher (What if somebody that went to my school is trying to hack my account?)? What’s the name of your first pet (What if your spouse is trying to access your e-mail account?)? What’s you father’s middle name? Your mother’s maiden name?If a train leaves New York going west and one leaves Chicago going east at exactly the same time where will they meet? What’s the land speed velocity of a coconut-laden swallow? OK. Aside from the last two, the previous point on social engineering applies.
I swear there are days I wish I just had a retina scanner, QR code or bar code tattoo, or an embedded chip to make it simple to verify my identity.
0 Responses to “Password Rules and Policies — You Gotta Be Kidding Me”