|
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 20/08/2011 12:03 PM, Warp wrote:
> Orchid XP v8<voi### [at] devnull> wrote:
>> Our network stores the last 12 passwords. Stupidly, it enforces a
>> *minimum* password age of 1 day. So, like, if your password is
>> compromised the day you change it, you cannot change it until tomorrow. WTF?
>
>> The idea, of course, is that you can't enter 12 passwords and then go
>> back to your original password. As if *anybody* dumb enough to work here
>> would realise they could do that.
>
> The solution to both problems is really obvious: Make the waiting time
> progressive rather than fixed.
That would work.
> Why do not developers understand trivial solutions like this?
Myself I'd probably just follow the Keep It Simple principle; no minimum
password age at all. As I say, very few people are smart enough to
realise that the system can be abused this way. Heck, most people just
/assume/ that the system keeps all passwords forever. They don't know
that 12 is our magic number.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 <voi### [at] devnull> wrote:
> Myself I'd probably just follow the Keep It Simple principle; no minimum
> password age at all. As I say, very few people are smart enough to
> realise that the system can be abused this way. Heck, most people just
> /assume/ that the system keeps all passwords forever. They don't know
> that 12 is our magic number.
Security by non-disclosement isn't a good strategy either. It would be
like arguing "nobody is going to hack our password database if we don't
tell anybody in which directory it's located".
(Yes, I know this is not a question of hacking or the users being
malicious and potentially causing mayhem. However, I see no reason to
not prevent even "innocent" abuse of the system.)
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 8/20/2011 3:44, Orchid XP v8 wrote:
> As if *anybody* dumb enough to work here would realise they could do that.
Uh.... you work there?
> What it /does/ mean is that if I reset somebody's password, I can't reset
> it, let them log back in, and then have them change it again.
You're doing it wrong. Assuming you're talking Windows, I believe there's a
checkbox that says "Must change password on next login".
--
Darren New, San Diego CA, USA (PST)
How come I never get only one kudo?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 20/08/2011 03:39 PM, Darren New wrote:
> On 8/20/2011 3:44, Orchid XP v8 wrote:
>> As if *anybody* dumb enough to work here would realise they could do
>> that.
>
> Uh.... you work there?
And what does that make me?
>> What it /does/ mean is that if I reset somebody's password, I can't reset
>> it, let them log back in, and then have them change it again.
>
> You're doing it wrong. Assuming you're talking Windows, I believe
> there's a checkbox that says "Must change password on next login".
...and that checkbox is frequently the *reason* I'm having to manually
reset the password in the first place. If the user's password expires,
and they only access our network via the VPN, they don't get the warning
to change password. They just get silently locked out.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sat, 20 Aug 2011 19:06:54 +0100, Orchid XP v8 wrote:
> On 20/08/2011 03:39 PM, Darren New wrote:
>> On 8/20/2011 3:44, Orchid XP v8 wrote:
>>> As if *anybody* dumb enough to work here would realise they could do
>>> that.
>>
>> Uh.... you work there?
>
> And what does that make me?
Employed. :)
I'm about ready to be done with the "not currently employed" status -
it's been a quiet summer, but I'd rather actually be making an income
(been doing a little contract work, but not having health coverage is a
bit of an issue).
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 2011/08/20 06:15, Stephen a écrit :
> On 18/08/2011 4:03 PM, Invisible wrote:
>> You want to password-protect your passwords? That's just crazy. (The
>> idea of a password is that you're supposed to /remember/ it. Which makes
>> it impossible to ever steal.)
>
> Please tell me how to remember passwords for half a dozen systems each
> with two or three clients that force you to change your password
> regularly. Along with accounts for umpteen different company websites
> and personal logons?
>
Some post-it on your monitor ;P
After all, it's prety common practice almost everywhere...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 20/08/2011 10:29 PM, Alain wrote:
> Some post-it on your monitor ;P
> After all, it's prety common practice almost everywhere...
Written in mirror writing? :-)
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Please tell me how to remember passwords for half a dozen systems each
>> with two or three clients that force you to change your password
>> regularly. Along with accounts for umpteen different company websites
>> and personal logons?
>
> Some post-it on your monitor ;P
> After all, it's prety common practice almost everywhere...
In fairness, this is probably OK for the PC in your house. If
unauthorised people are in your house, you have *way* bigger problems
than passwords...
In an office though, DO NOT DO THIS! >_<
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 2011/08/21 06:20, Orchid XP v8 a écrit :
>>> Please tell me how to remember passwords for half a dozen systems each
>>> with two or three clients that force you to change your password
>>> regularly. Along with accounts for umpteen different company websites
>>> and personal logons?
>>
>> Some post-it on your monitor ;P
>> After all, it's prety common practice almost everywhere...
>
> In fairness, this is probably OK for the PC in your house. If
> unauthorised people are in your house, you have *way* bigger problems
> than passwords...
>
> In an office though, DO NOT DO THIS! >_<
>
It's a common sight in many offices, especialy when the passwords are
numerous and change often.
They usualy read similar to:
Site/acount
User name - password
The password can be under the user name.
Some only list the user name and password, or only the password for the
main password the user need to start his work day. In that later case,
you only have to look at the office/desk to figure the user name.
I know, it's realy no good, but common...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |