Reader Comments (rss)

(Flattened / Threaded)

1.  

   not just PHB

   

   westpac, Oct 8th, 2003 @ 4:48am

   
   

   I just had a new employee last week demand to know why she couldn't use her username as her password because it's "easy to remember." I pointed out that "easy to remember" also means "easy to figure out" to someone cracking a system. She used to be a government muckity-muck out here and forgets that she's on the contractor side of the house now. She went to my boss's boss and complained and then my boss gave me the "be accomodating" speech so I told him as long as he wanted to be the one to explain our violating DoD computer security standards to "be accomodating" I had no problem with it. After he explained it to her she started in with the "when I started out here..." speech. When she started out here the only computer on the arsenal filled a building the size of an aircraft hangar and was one of about only ten supercomputers in the country and her "experience" with it was as a keypunch operator.

   [ reply to this | link to this | view in thread ]

2.  

   Net Administrators are to blame ...

   

   AMetamorphosis, Oct 8th, 2003 @ 6:22am

   
   

   It happens ( people using obvious passwords ) because pointed headed net administrators fail to remember that we as users are FORCED to remember umpteem bazillion passwords for everything. On top of that we are forced to changed them far too many times in a year. Here is just an example: I need DIFFERENT pass codes to enter my home, my office, my workstation at the office, 3 different applications I use daily, my bank's debit PIN, my banks website access, my credit cards website, my credit card PINS, my voice mail on my cellular phone ... these are just the ones I can think of off the top of my head. Net Administrators end up thwarting security simply because people get tired of repeatedly changing these codes every month, not being able to use a previous code for at least 12 uses, forcing us to use a combination of symbols, capital letters, small letters & numbers. As a result, people look for the least painful method of complying. Much of the time the Net Administrators do not realize that the level of security they are requesting is not needed in all instances.
   I've come up with a solution that works for me. I pick 4 letters, 4 numbers & 4 symbols and ONLY use a combination of these. As a result, yes, occasionally I lock myself out of one of the items, but generally since I know it will only be a choice of 4 I can usually figure it out.
   As to the bigwigs, they don't give a hoot because there will always be a pointy headed tech nerd in training to reset the pass code for them.

   [ reply to this | link to this | view in thread ]

3.  

   Re: Net Administrators are to blame ...

   

   pointy head administrator, Oct 9th, 2003 @ 6:45am

   
   

   Pointy head administrators force you to use difficult passwords because most users will pick something so incredibly stupid for a password, like their kid's name or favorite sports team, that a little social engineering makes their system vulnerable. You may not think the level of security is necessary but you're not the one trying to keep your company's machines from being broken into or hijacked. My users bitch all day about all the patches we have to install for Windows and Internet Explorer but it's nothing compared to the bitching they'll be doing if their system crashes because of a security flaw that wasn't patched.
   
   So you have to remember a difficult password. Big deal. Your network admin is doing his job so you can do yours.

   [ reply to this | link to this | view in thread ]

4.  

   Re: Net Administrators are to blame ...

   

   AMetamorphosis, Oct 9th, 2003 @ 7:13am

   
   

   You missed my point: Its the frequency of change & excessive complication that net admins make us change these passwords that cause people to become lazy and use the least painful method of complying. I throughly agree with you about the security for things that must be secure, but not everything needs to be as secure as you seem to think. As a result the net admins end up pissing off the employees to the degree where they just slap a post it on the monitor with the password, making social engineering a mute point. One walk around my office and I can sign into @ least 5 workstations WITHOUT even having to try and guess passwords because of disgusted employees who use post its.. Besides, since the password we are forced to chose are so obscure and unrelated to ANYTHING in our lives, we tend to forget them. If security is that important to you as a net admin, choose biometrics because my thumbprint isn't going to change and I don't have to try to remember 3r5^Gj((lLm to sign on.

   [ reply to this | link to this | view in thread ]

5.  

   Re: Net Administrators are to blame ...

   

   PHA, Oct 9th, 2003 @ 8:54am

   
   

   No I didn't miss your point. Have you ever seen some of the hacking tools available to crack passwords? The key is to make it as difficult as possible to crack passwords. Unfortunately it comes down to that "some people can't obey the rules so we have to punish everybody" routine. We had a network audit here a few months back and the auditors were astounded at the number of Win2K systems with blank admin passwords. This is an open invitation to get hacked and often happens.
   
   As to the post-it passwords, yeah, that's where the system breaks down. My former boss had a 5x7 index card with every username and password for every account he had on anything taped to his desk under his mousepad. This is why you have to force users to change passwords frequently and not recycle them because you never know who has copied those down in case they ever get fired.

   [ reply to this | link to this | view in thread ]

6.  

   Re: Net Administrators are to blame ...

   

   AMetamorphosis, Oct 9th, 2003 @ 11:00am

   
   

   Nice to have an intelligent debate :-)
   Cheers !

   [ reply to this | link to this | view in thread ]

7.  

   Re: Net Administrators are to blame ...

   

   Andy, Oct 9th, 2003 @ 11:52pm

   
   

   Well I must have an intelligent boss then as he uses his surname and not his firstname for his password :-)
   

   [ reply to this | link to this | view in thread ]

Add Your Comment